On Tue, Mar 24, 2020 at 10:58:14AM -0500, Al Iverson via mailop wrote:
> I'm not understanding how this intersects with spamtraps. What does
> this alert actually notify a network owner of?
> Failed SMTP auth attempt from my IP space?
> Or a failed SMTP auth attempt from someplace else TO my IP space?
> Or door #3?
Failed SMTP auth attempt to somewhere controlled by Abusix, using
credentials "apparently at" domains that are not served by any
reasonable stretch of imagination by the Abusix hosts involved.
Door #3. It has nothing to do with your IP space, and it only has
to do with bots pulling domains that belong to you to use here
out of their ...I meant to say thin air, of course.
To me, that constitutes pure noise with no signal.
--- begin forwarded report ---
From: Abusix <nore...@abusix.org>
Subject: Abusix Potentially Compromised Account Report
To: postmaster@domain
Hello,
Over the last 24 hour period our traps have detected SO AND SO MANY potentially
compromised accounts on your domain.
Attached is a CSV file containing the username, first five characters of the
SHA-1 hash calculated from the password that was used, the IP address that
attempted the login and the UNIX timestamp of the attempt.
We only send notices for usernames that we have not seen previously, this is to
reduce the amount of unnecessary noise and to hopefully increase the
usefulness of these reports to you.
This data is collected by observing hosts abusing our traps and sending SMTP
AUTH credentials to external domains (like yours). Note that we do not store
usernames and passwords, just the usernames.
We have also sent a copy of this report to the Abuse Contact(s) determined by
looking up the IP addresses that your MX record(s) point to in our Abuse
Contact DB, this is under the presumption that whatever service handles the
inbound mail for your domain probably also handles the outbound mail, as a
compromised account will potentially impact them too.
This is an experimental free service powered by Abusix Mail Intelligence and
may be revised or teminated at any time. We're committed to help prevent and
clean-up abuse on the internet and we're always interested in hearing your
feeback on this service.
You can find more details and frequently asked questions about our reports here.
This data is provided under this license and is generated daily at midnight GMT.
If you'd prefer not to receive these reports, you can opt-out here.
--- end forwarded report ---
The format of the attached CSV file is as follows:
"username","pw_sha1","source_ip","timestamp","human_date"
"blah@domain","00000","127.0.0.1",1584xxxxxx,"2020-03-xxThh:mm:ss.000Z"
>
> Regards,
> Al Iverson
>
> --
> al iverson // wombatmail // chicago
> dns tools are cool! https://xnnd.com
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
--
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
