Sorry for the noise...
Also from EHLO's of
Feb 9 09:29:13 fe1 msd[20338]: EHLO command received, args:
MWHPR22MB0798.namprd22.prod.outlook.com
On 18-02-09 11:23 AM, Michael Peddemors wrote:
Two separate issues I believe...
Aggressive Valid AUTH attempts... EHLO/STARTTLS/AUTH LOGIN/QUIT
All from MWHPR01MB2336.prod.exchangelabs.com
Feb 9 10:06:09 fe1 msd[4699]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:10 fe1 msd[4709]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:11 fe1 msd[4731]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:13 fe1 msd[4770]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:13 fe1 msd[4793]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:13 fe1 msd[4813]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:14 fe1 msd[4832]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:14 fe1 msd[4842]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:14 fe1 msd[4847]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:14 fe1 msd[4849]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:16 fe1 msd[4894]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:17 fe1 msd[4905]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:19 fe1 msd[4937]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:22 fe1 msd[5013]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:23 fe1 msd[5023]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:23 fe1 msd[5025]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:24 fe1 msd[5030]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:24 fe1 msd[5034]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:24 fe1 msd[5041]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:25 fe1 msd[5044]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:25 fe1 msd[5050]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:26 fe1 msd[5070]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:27 fe1 msd[5081]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:27 fe1 msd[5082]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:28 fe1 msd[5089]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:29 fe1 msd[5101]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:29 fe1 msd[5105]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:29 fe1 msd[5108]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:30 fe1 msd[5132]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:30 fe1 msd[5155]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:31 fe1 msd[5187]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:31 fe1 msd[5193]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:31 fe1 msd[5199]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:32 fe1 msd[5226]: AUTH success: [<same_email_address>]
(40.97.117.181)
Feb 9 10:06:33 fe1 msd[5240]: AUTH success: [<same_email_address>]
(40.97.117.181)
On 18-02-09 11:08 AM, Brandon Long via mailop wrote:
I'm confused, the first post said valid credentials, is that what
everyone else is seeing?
Nearly all valid creds seems weirder than mostly invalid... modulo
whatever amount of hijacked or reused creds there are.
Brandon
On Fri, Feb 9, 2018, 10:59 AM Rich Kulawiec <r...@gsp.org
<mailto:r...@gsp.org>> wrote:
On Fri, Feb 09, 2018 at 09:56:43AM +0100, Dan Malm wrote:
> I'm seeing an extreme amount of SMTP authentications (over 600/s)
[snip]
I wouldn't characterize what I've seen as "extreme" at any of the
observation points I'm monitoring, but I have seen a moderate
number of
repeated attempts to authenticate against a mix of
existing/non-existing
accounts, some of which happened slowly and some of which were rapid.
I used the past tense there because my response was to firewall
out (what I believe to be) the relevant ranges from access to
POP(S)/IMAP(S)/submission as applicable to various servers.
---rsk
_______________________________________________
mailop mailing list
mailop@mailop.org <mailto:mailop@mailop.org>
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
