On Tue, Mar 24, 2020 at 10:58:14AM -0500, Al Iverson via mailop wrote: > I'm not understanding how this intersects with spamtraps. What does > this alert actually notify a network owner of? > Failed SMTP auth attempt from my IP space? > Or a failed SMTP auth attempt from someplace else TO my IP space? > Or door #3?
Failed SMTP auth attempt to somewhere controlled by Abusix, using credentials "apparently at" domains that are not served by any reasonable stretch of imagination by the Abusix hosts involved. Door #3. It has nothing to do with your IP space, and it only has to do with bots pulling domains that belong to you to use here out of their ...I meant to say thin air, of course. To me, that constitutes pure noise with no signal. --- begin forwarded report --- From: Abusix <nore...@abusix.org> Subject: Abusix Potentially Compromised Account Report To: postmaster@domain Hello, Over the last 24 hour period our traps have detected SO AND SO MANY potentially compromised accounts on your domain. Attached is a CSV file containing the username, first five characters of the SHA-1 hash calculated from the password that was used, the IP address that attempted the login and the UNIX timestamp of the attempt. We only send notices for usernames that we have not seen previously, this is to reduce the amount of unnecessary noise and to hopefully increase the usefulness of these reports to you. This data is collected by observing hosts abusing our traps and sending SMTP AUTH credentials to external domains (like yours). Note that we do not store usernames and passwords, just the usernames. We have also sent a copy of this report to the Abuse Contact(s) determined by looking up the IP addresses that your MX record(s) point to in our Abuse Contact DB, this is under the presumption that whatever service handles the inbound mail for your domain probably also handles the outbound mail, as a compromised account will potentially impact them too. This is an experimental free service powered by Abusix Mail Intelligence and may be revised or teminated at any time. We're committed to help prevent and clean-up abuse on the internet and we're always interested in hearing your feeback on this service. You can find more details and frequently asked questions about our reports here. This data is provided under this license and is generated daily at midnight GMT. If you'd prefer not to receive these reports, you can opt-out here. --- end forwarded report --- The format of the attached CSV file is as follows: "username","pw_sha1","source_ip","timestamp","human_date" "blah@domain","00000","127.0.0.1",1584xxxxxx,"2020-03-xxThh:mm:ss.000Z" > > Regards, > Al Iverson > > -- > al iverson // wombatmail // chicago > dns tools are cool! https://xnnd.com > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop