Hi, Dňa 11. augusta 2024 15:20:50 UTC používateľ "Scott Q. via mailop" <mailop@mailop.org> napísal: >I've noticed this maybe 3-4 years ago. Could not tie it to any >legitimate customer or application.
Yes, not real users, IPs are mostly from US (hi COMCAST), but othervise from ~60 countries, 219 ASNs... I am more aggressive, i block them initially for 30 days and only small number of them repeats. Unfortunatelly, i am able to identify them only after connection close (or at least i don't know how to reliably do it sooner). I will check if exim allow me to set (shorter) TLS handshake timeout. >Didn't spend much time analyzing it, but I think it's some sort of bot >trying to do some SSL shenaningans. Yes, that is i what i am curious for, what they want to achieve, as these numbers of attempts cannot hurt at all (~600 unique IPs in 120 days, no more than two attempts per IP allowed in these days), even on spikes no more than ~30 daily... I consider/guess to be too unlikely, that here are many targets using plain connection on 465 port to it be some random attack (the amount doesn't look as targetted attack either), thus i guess some misconfiguration or lack of knowledge (on author side), as these IPs doesn't try to connect to 587 nor 25 ports (with really small numbers of exceptions). Anyway, thanks for all responses. regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
