Re: [mailop] Odd attack experienced

Wed, 21 Oct 2015 09:30:47 -0700 

On 15-10-21 09:06 AM, Carl Byington wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 2015-10-21 at 08:51 -0700, Spam Auditor wrote:

Sounds like the AUTH-FAIL attack, which we have seen operating on
Windows machines, eg mailcracker.exe.


No attempt at auth:

   <-- EHLO [2.50.185.146]
   --> 250 ...
   <-- MAIL FROM: <Randolph.Hensley@> BODY=7BIT
   --> 553 5.1.3 <Randolph.Hensley@>... Hostname required
   <-- RCPT TO:<MUNGED-ADDRESS>
   --> 503 5.0.0 Need MAIL before RCPT
Is that really the IP Address? There is no PTR record associated with that IP Address, and I would start with that. No one should allow connections from IP(s) with no rDNS configured to port 25. 




I don't know if this is possible with milter, but could you setup a

block

rule that logs ips for a deny afterwards?
IE. Sort of like a greylist but the opposite effect.


Not really worth it in this case, since the ips are widely distributed,
and each ip only tried about 1.5 times on average.

attempts, ip address:

       1 101.59.238.59
       1 105.210.98.245
       2 106.245.190.88
       2 109.100.87.30
       2 115.78.128.20
       5 115.95.64.142
       2 118.179.227.47
       2 12.108.159.218
       2 121.137.178.101
       2 12.181.152.58
       1 12.186.177.218
       1 123.136.164.157
       2 125.16.0.198
       1 173.200.58.42
       2 181.39.249.99
       3 181.39.57.146
       1 181.64.143.233
       1 188.48.18.21
       2 196.207.233.32
       6 199.189.115.239
       2 203.167.214.38
       2 204.197.193.148
       1 2.50.139.193
       1 2.50.185.146
       1 2.50.36.149
       2 2.90.114.214
       1 37.230.78.155
       2 59.60.4.117
       1 69.18.44.161
       2 76.72.246.234
       1 80.248.199.150
       2 81.213.77.212
       1 84.78.8.198
       1 85.187.246.14
       1 89.120.95.9
       1 90.169.26.102
       1 92.247.255.127
       1 93.168.94.74
       2 94.98.193.229

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlYnt88ACgkQL6j7milTFsHfFwCfXLRycJBxSfcsgV9cbgBWUWgq
fokAn34ySdZQv/ctgxKBZIDWIWOZ4tBT
=Pzh6
-----END PGP SIGNATURE-----



_______________________________________________
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop




_______________________________________________
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Reply via email to