Re: [mailop] SMTP AUTH harassment

2021-07-17 Thread Jesper via mailop 

On 2021-07-17 22:13, Slavko via mailop wrote:

> Please, i want ask others if are these (mostly) Brasil attempts know 
to others too or am i "special" target?


I've seen it for at least 16ish years, at work and on my personal 
servers. Mostly Brazil, South Korea, Turkey and Vietnam (+honourable 
mentions to VPSes in France, Belgium, The Netherlands and USA). So no, 
you're not special :-)


/ Jesper

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP AUTH harassment

2021-07-17 Thread Slavko via mailop 
Hi,

Dňa 17 Jul 2021 20:41:14 -0400 John Levine via mailop
 napísal:

> It appears that Thomas Hochstein via mailop  said:

> About 12,000 here.  It's a botnet, it's not targeting you any more
> than any other random server it can find, and I don't know of any way
> to block it. You can use something like fail2ban to block individual
> IPs but it's a very large botnet.

Thanks a lot for all answers, it helped me to understand that it is not
by some of my mistake, as i always care about own mistakes first...

> The logins are pretty random:

Now the IMAP (dovecot) attack starts again, where i see full failed
logins log. While it seems as different botnet (different IP
sources/countries) i see, that only one account is targeting with
passwords (and its variations) which looks know to me, but i cannot
bring in mid from where ;-) But this current attack seems to be more
massive than previous, as my F2B log shows twice IP blocked yet (and it
grows).

Ad blocklist.de: i update IP list (ipset with timeout) hourly with
adding only new (recent) IPs from this list and count of added IP is
loged. There was times, when script adds hourly about 2500 IP, now it
is adding only about 500 - 600. It doesn't help - i watch on
incoming SYN packets on router and i see very little amount without
SYN+ACK, thus only very little IP are blocked...

Ad fail2ban: it helps, not a lot, but helps. I did some research before
i go to to sleep yesterday, and i found why i do not know how to block
subnets in fail2ban, as it was introduced in its 0.10.5 version, but in
debian stable there is only 0.10.2, but anyway blocking subnets will
help only little more (see stats below).

To see from where they come i did simple Python(3) script, which reads
list of IP from stdin and prints some stats based on GeoLite2 DBs. When
i feed it with IPs parsed from today dovecot's fail2ban log i can see:

Top 5 countries of 33:
 75  South Korea (KR)
 36  Japan (JP)
 25  Hong Kong (HK)
 20  China (CN)
 18  Taiwan (TW)

Top 5 networks of 220:
 7   117.146.0.0/16
 4   113.252.0.0/14
 4   111.240.0.0/12
 3   77.53.0.0/16
 3   219.100.37.0/24

Top 5 IPs of 257:
 2   191.177.186.129
 2   88.215.95.21
 2   219.73.72.159
 1   37.57.200.229
 1   59.8.115.197

I do not know if attachments are allowed here, thus i add it here, if
someone is interested:

import sys
from collections import Counter

import geoip2.database

icnt = Counter()
ccnt = Counter()
ncnt = Counter()
total = 0
maxi = 5

with geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-Country.mmdb') as creader, 
\
 geoip2.database.Reader('/var/lib/GeoIP/GeoLite2-ASN.mmdb') as areader:

for ip in sys.stdin:
ip = ip.strip()
ctr = creader.country(ip)
asn = areader.asn(ip)

isoc = f"{ctr.country.name} ({ctr.country.iso_code})"
netw = str(asn.network)
icnt[ip] += 1
ccnt[isoc] += 1
ncnt[netw] += 1
total += 1

print(f"\nTop {maxi} countries of {len(ccnt)}:")
for k, v in ccnt.most_common(maxi):
print(" %-3s %s" % (v, k))

print(f"\nTop {maxi} networks of {len(ncnt)}:")
for k, v in ncnt.most_common(maxi):
print(" %-3s %s" % (v, k))

print(f"\nTop {maxi} IPs of {len(icnt)}:")
for k, v in icnt.most_common(maxi):
print(" %-3s %s" % (v, k))

One can tweak the maxi value, if want to see more top items...

regards

-- 
Slavko
http://slavino.sk


pgpIIQsP66Zyf.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP AUTH harassment

2021-07-17 Thread Andre van Eyssen via mailop 

On Sat, 17 Jul 2021, Slavko via mailop wrote:


Please, i want ask others if are these (mostly) Brasil attempts know to
others too or am i "special" target? Some other questions, which comes
to my minds without answers, while perhaps nobody here will/can know
right answer, i will ask:


Nope, this is sadly a fact of life these days. At times there's way more 
bad auth attempts than actual mail running through one of my MXes.



- i use blocklist.de IP list to block access on router for years, but i
 feeling in recent time as it is not as effective as before, can it be
 related, that i do not see similar attempts before?


The fact that you're using a blocklist is probably why you're only seeing 
the distributed scattered attempts and not a roar from certain subnets. 
I've had a few /24s blocked for years now and every time I give them a 
test unblock they just start pouring brute force attempts in.


Picking one subnet from the last little while, there are attempts from:

Jul-18-21 00:24:40 [Worker_1] [TLS-out] 78.128.113.99 [SMTP Error] 535 
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 00:44:15 [Worker_1] [TLS-out] 78.128.113.75 [SMTP Error] 535 
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:09:57 [Worker_1] [TLS-out] 78.128.113.74 [SMTP Error] 535 
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:41:02 [Worker_1] [TLS-out] 78.128.113.77 [SMTP Error] 535 
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:46:41 [Worker_1] [TLS-out] 78.128.113.74 [SMTP Error] 535 
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:46:46 [Worker_1] 78.128.113.69 [SMTP Error] 521 
(redacted) does not accept mail - closing transmission - too many 
previous AUTH errors from network 78.128.113.0


(After five attempts the /24 goes into the sin bin and all auth attempts 
are rejected.)


--
Andre van Eyssen.  Phone: +61 417 211 788
mail: an...@purplecow.org  http://andre.purplecow.org
About & Contact:  http://www.purplecow.org/andre.html
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP AUTH harassment

2021-07-17 Thread John Levine via mailop 
It appears that Thomas Hochstein via mailop  said:
>Slavko wrote:
>
>> Please, i want ask others if are these (mostly) Brasil attempts know to
>> others too or am i "special" target?
>
>Personal server here too.
>
>| root@moria # grep 'Incorrect authentication data' /var/log/exim4/mainlog.1 | 
>wc -l 
>| 1026
>
>So, a bit more than 1.000 attempts yesterday.

About 12,000 here.  It's a botnet, it's not targeting you any more than
any other random server it can find, and I don't know of any way to block it.
You can use something like fail2ban to block individual IPs but it's a very
large botnet.

The logins are pretty random:

2021-07-15 01:09:03.374311500 mailfront[97178]: Fake login rssman / abc123
2021-07-15 01:09:05.838211500 mailfront[97183]: Fake login bob_fr / qwerty
2021-07-15 01:09:06.772155500 mailfront[97191]: Fake login andrew / asdfgh
2021-07-15 01:09:07.335611500 mailfront[97194]: Fake login nnsquad / abc123456
2021-07-15 01:09:07.898144500 mailfront[97195]: Fake login rssmanagi / abc123456
2021-07-15 01:09:10.362742500 mailfront[97201]: Fake login bob_fr / asdfgh
2021-07-15 01:09:11.357415500 mailfront[97208]: Fake login andrew_ / letmein
2021-07-15 01:09:11.853999500 mailfront[97212]: Fake login nnsqua / 00
2021-07-15 01:09:12.347805500 mailfront[97215]: Fake login rssman / 00
2021-07-15 01:09:14.819537500 mailfront[97224]: Fake login bob_fra / letmein
2021-07-15 01:09:15.370713500 mailfront[97214]: Fake login tele / 7001
2021-07-15 01:09:15.924577500 mailfront[97229]: Fake login andrew / abc123
2021-07-15 01:09:16.431118500 mailfront[97235]: Fake login nnsqua / 123123
2021-07-15 01:09:16.789482500 mailfront[97236]: Fake login rssman / 123123
2021-07-15 01:09:19.228958500 mailfront[97241]: Fake login tele / 4001
2021-07-15 01:09:19.270550500 mailfront[97243]: Fake login bob_fr / abc123
2021-07-15 01:09:20.502396500 mailfront[97251]: Fake login andrew_ma / abc123456
2021-07-15 01:09:21.005099500 mailfront[97256]: Fake login nnsqua / 11
2021-07-15 01:09:21.275142500 mailfront[97258]: Fake login rssman / 11
2021-07-15 01:09:23.93500 mailfront[97267]: Fake login bob_frank / abc123456
2021-07-15 01:09:24.922478500 mailfront[97274]: Fake login andrew / 00
2021-07-15 01:09:25.596200500 mailfront[97279]: Fake login nnsqua / 22
2021-07-15 01:09:25.772230500 mailfront[97280]: Fake login rssman / 22
2021-07-15 01:09:28.488612500 mailfront[97289]: Fake login bob_fr / 00
2021-07-15 01:09:29.315868500 mailfront[97299]: Fake login andrew / 123123
2021-07-15 01:09:30.066903500 mailfront[97302]: Fake login nnsqua / 33
2021-07-15 01:09:30.179992500 mailfront[97304]: Fake login rssman / 33
2021-07-15 01:09:33.019374500 mailfront[97317]: Fake login bob_fr / 123123
2021-07-15 01:09:33.807393500 mailfront[97323]: Fake login andrew / 11
2021-07-15 01:09:34.482521500 mailfront[97328]: Fake login nnsqua / 44
2021-07-15 01:09:34.719871500 mailfront[97329]: Fake login rssman / 44
2021-07-15 01:09:37.517548500 mailfront[97336]: Fake login bob_fr / 11
2021-07-15 01:09:38.452654500 mailfront[97343]: Fake login andrew / 22
2021-07-15 01:09:39.100721500 mailfront[97346]: Fake login nnsqua / 55
2021-07-15 01:09:39.158732500 mailfront[97347]: Fake login rssman / 55
2021-07-15 01:09:42.019243500 mailfront[97356]: Fake login bob_fr / 22
2021-07-15 01:09:43.087836500 mailfront[97364]: Fake login andrew / 33
2021-07-15 01:09:43.571643500 mailfront[97367]: Fake login rssman / 66
2021-07-15 01:09:43.656882500 mailfront[97368]: Fake login nnsqua / 66
2021-07-15 01:09:46.697044500 mailfront[97375]: Fake login bob_fr / 33
2021-07-15 01:09:47.531018500 mailfront[97386]: Fake login andrew / 44
2021-07-15 01:09:48.110315500 mailfront[97390]: Fake login nnsqua / 77
2021-07-15 01:09:48.117088500 mailfront[97388]: Fake login rssman / 77
2021-07-15 01:09:51.304767500 mailfront[97397]: Fake login bob_fr / 44
2021-07-15 01:09:52.100357500 mailfront[97406]: Fake login andrew / 55
2021-07-15 01:09:52.679086500 mailfront[97407]: Fake login rssman / 88
2021-07-15 01:09:52.699856500 mailfront[97408]: Fake login nnsqua / 88
2021-07-15 01:09:55.784831500 mailfront[97416]: Fake login bob_fr / 55
2021-07-15 01:09:56.733251500 mailfront[97421]: Fake login andrew / 66
2021-07-15 01:09:57.219744500 mailfront[97422]: Fake login nnsqua / 99
2021-07-15 01:09:57.260230500 mailfront[97423]: Fake login rssman / 99
2021-07-15 01:10:00.259598500 mailfront[97429]: Fake login bob_fr / 66
2021-07-15 01:10:01.268775500 mailfront[97436]: Fake login andrew / 77
2021-07-15 01:10:01.777671500 mailfront[97438]: Fake login nnsqua / 696969
2021-07-15 01:10:01.853818500 mailfront[97437]: Fake login rssman / 696969
2021-07-15 01:10:04.698859500 mailfront[97455]: Fake login bob_fr / 77
2021-07-15 01:10:05.905906500 mailfront[97464]: Fake login andrew / 88
2021-07-15 01:10:06.302905500 mailfront[97469]: Fake login nnsqu / admin

Re: [mailop] SMTP AUTH harassment

2021-07-17 Thread Thomas Hochstein via mailop 
Slavko wrote:

> Please, i want ask others if are these (mostly) Brasil attempts know to
> others too or am i "special" target?

Personal server here too.

| root@moria # grep 'Incorrect authentication data' /var/log/exim4/mainlog.1 | 
wc -l 
| 1026

So, a bit more than 1.000 attempts yesterday.

> The IP
> is only rarely used more than once, and as one can see, the IP networks
> and AS numbers doesn't get high counts too (with some exceptions which
> i blocked manually).

Same here, fail2ban doesn't help that much.

> I do not know what
> accounts/passwords they are trying, as real AUTH doesn't happen.

Most try "postmaster" at domains the host is MX for, others try
harvested addresses from domains the host is MX for (with and without
domain), and yet others try addresses I know that have no obvious
connection to that host. None of those has an STMP-Auth password, so
no harm done.

-thh
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] SMTP AUTH harassment

2021-07-17 Thread Slavko via mailop 
Hi all!

I registered here only in recent time and this is my first post here (i
am sorry, my English is not best)...

In recent days i bother with many login attempt to my personal mail
server, which i use for some years. I meet distributed dictionary
attack to IMAP server which was partially blocked by my fail2ban with
some manual intervention. But attempts to login into SMTP server are
less often, thus more difficult to catch.

I will shortly describe current situation:

They all connects to port 465 (as i do not provide other for logins)
and repeats one attempt about every hour (30 - 90 min) any from
different IPs. Most of them are known to SpamHaus CSS/XBL, which i use
to deny AUTH for them. They waits max. about 10 s to every response
(connect, EHLO, AUTH), and then disconnects without QUIT. They
disconnect without QUIT to 5xx response to AUTH too. I do not know what
accounts/passwords they are trying, as real AUTH doesn't happen.

Two or three days ago i decided to extend AUTH response delay to
they disconnect before they get reply and to see what happens. This
results in burst 8 - 12 attempts every time, again all from different
IPs. They are logged and counted by exim's notQUIT ACL, here is excerpt
(wrapped manually):

2021-07-17 20:18:02 H=[186.190.163.50] NotQ connection-lost
  (AS:27953 10.5, N:186.190.163.0/24 1.0, C:AR 40.1) EHLO,AUTH
2021-07-17 20:18:24 H=[202.52.230.206] NotQ connection-lost
  (AS:4613 2.6, N:202.52.230.0/24 1.0, C:NP 4.3) EHLO,AUTH
2021-07-17 20:18:46 H=[187.62.177.90] NotQ connection-lost
  (AS:262662 1.0, N:187.62.176.0/21 1.0, C:BR 301.1) EHLO,AUTH
2021-07-17 20:19:14 H=[103.63.29.72] NotQ connection-lost
  (AS:134888 2.0, N:103.63.29.0/24 2.0, C:IN 46.7) EHLO,AUTH
2021-07-17 20:19:49 H=[45.188.61.3] NotQ connection-lost
  (AS:269585 1.0, N:45.188.61.0/24 1.0, C:BR 302.1) EHLO,AUTH
2021-07-17 20:20:16 H=[188.112.7.125] NotQ connection-lost
  (AS:42739 6.9, N:188.112.0.0/18 3.4, C:PL 65.7) EHLO,AUTH
2021-07-17 20:20:47 H=[45.168.31.121] NotQ connection-lost
  (AS:268052 1.9, N:45.168.31.0/24 1.0, C:BR 303.0) EHLO,AUTH

I count ASN (AS:), IP network (N:) and country (C:) by exim's ratelimit
facility for 1 week, to get some quick look. Most of them come from
Brasil, other top includes India, Poland, Argentina and others. The IP
is only rarely used more than once, and as one can see, the IP networks
and AS numbers doesn't get high counts too (with some exceptions which
i blocked manually).

Please, i want ask others if are these (mostly) Brasil attempts know to
others too or am i "special" target? Some other questions, which comes
to my minds without answers, while perhaps nobody here will/can know
right answer, i will ask:

- i use blocklist.de IP list to block access on router for years, but i
  feeling in recent time as it is not as effective as before, can it be
  related, that i do not see similar attempts before?
- have someone similar feeling about blocklist.de effectivity or am i
  wrong?
- some days ago i decide to register my IP with dnswl.org, can it be
  related? (in really i am not sure, if they start closely before i
  register or after)

And finally, please can someone help me to create fail2ban rule, which
will catch network IP from these logs? While i am able to do own f2b
rules and actions, i do not know how to catch (and use) network address
in them and i cannot find any resource for it.

thanks

-- 
Slavko
http://slavino.sk


pgpC9pMowkv2z.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] I disabled Spamhaus checking due to false-positives

2021-07-17 Thread John Levine via mailop 
It appears that Michael Peddemors via mailop  said:
>Just make it simple, set your DNS servers to be your upstream provider..
>You pay them money, use their services if you don't want to run your own 
>DNS server..

If you're doing DNSBL lookups and your upstream provider is a giant like
Comcast or Rogers, your lookups will be rate limited.  This is a particular
problem for DNSBLs, for normal traffic you are right.

R's,
John

>PS, don't even THINK of using DoH ;)

Comcast provides perfectly good DoH if that's what you want.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Thanks Lili !

2021-07-17 Thread John Stephenson via mailop 
Absolutely agree with Dave and Al, but I'll offer a very quick PSA to what
I'm sure is a very small percentage of lurkers here who are looking for a
quick fix to sneak crappy email into inboxes.  You're better off staying
off Lili and Marcel's radar.  While they have proven helpful in addressing
unintended consequences that affect good senders, they will fiercely defend
the experience of their users.  If you misrepresent what type of mail
you're sending to get into the Yahoo/Verizon inbox--they will see it in
their metrics and they will remember you ;-)  Choose wisely!

J

On Fri, Jul 16, 2021 at 7:01 PM Al Iverson via mailop 
wrote:

> Hey, I'd like to second this! Lili Crowley at Verizon is a great person
> and very helpful when it comes to helping us great unwashed masses resolve
> email delivery issues. It doesn't hurt that she is super smart and very
> insightful as well. Verizon is chock full of good people here. Not all
> large B2C webmail providers lean into the community aspect of email as a
> sort of industry or group like Verizon does, and it is very much because of
> the good people at the company like Ms. Crowley and also Marcel Becker.
>
> Cheers,
> Al Iverson
>
> On Fri, Jul 16, 2021 at 4:53 PM Dave Holmes via mailop 
> wrote:
>
>> This has been a great mailing list to be a part of, most posts are people
>> seeking to resolve issues.
>>
>> I thought I would post a massive thank you to Lili Crowley and the team
>> at Verizon helping to resolve a problem we were having, it's such a
>> refreshing change to be able to speak with people and not hop through a
>> million and one postmaster forms - just to get a canned response days later!
>>
>> Have a great weekend from a sunny UK
>>
>> --
>>
>> [image: Instiller Logo] 
>> Dave Holmes
>> Technical Director
>>
>> d...@instiller.co.uk
>> T 0333 939 0013  |  M 07966 013 309
>> 1 Park Farm Barns | Packington Lane | Stonebridge | CV7 7TL
>>
>>
>> Instiller is a trademark of Instiller Limited, registered in England
>> 5053657.
>>
>> This email contains proprietary information, some of which may be legally
>> privileged. It is for the intended recipient only.
>> If an addressing or transmission in error has misdirected this email,
>> please notify the author by replying to this email.
>> If you are not the intended recipient, you must not use, disclose,
>> distribute, copy, print or rely on this email.
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
>>
>
>
> --
> Al Iverson // Wombatmail // Chicago
> Deliverability: https://spamresource.com
> DNS Tools: https://xnnd.com
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] I disabled Spamhaus checking due to false-positives

2021-07-17 Thread John Levine via mailop 
It appears that Al Iverson via mailop  said:
>> On an debian/ubuntu system just
>>
>> apt install unbound
>>
>> It comes configured fairly safely, listening only on localhost.
>>
>> and edit /etc/resolv.conf to say
>>
>> nameserver 127.0.0.1
>>
>> And there isn't much else to it for single machine.  Indeed it is quite
>> a good way to bring DNSSEC up to the local machine.

Yup.  For us BSD users, it's even installed by default.

>Until catching on to the limitations around DNSBL resolution
>limitations, I'd been quite happy with public resolvers. Spamhaus has
>been warning about them for a while, so I can't be surprised. I just
>wasn't thinking much about it.

The people in the Netherlands who wrote unbound know what they're doing.
It's only a recursive resolver which avoids a lot of the crud associated
with bind.  (For authoritative DNS, there's the separate NSD program.)

>(On my XNND DNS tools site, the web-based DNS tools by default will
>rotate through a list of common public DNS servers, to help spread the
>joy around. Maybe I'll add an allow list of DNSBL domains that use a
>local resolver instead.)

Just set up a local resolver and point all your queries at it.  Unless your
tools site is busy enough to need load balancers, the query load on
unbound will be insignificant.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] I disabled Spamhaus checking due to false-positives

2021-07-17 Thread Al Iverson via mailop 
On Sat, Jul 17, 2021 at 1:24 AM John Brahy via mailop  wrote:
>
> Spam Haus is one of the worst. They’ll blacklist a company’s Corporate emails 
> if they think they send advertising emails even if they never use their 
> corporate domain to send email. Really dirty.

Son, you might be in the wrong business.

Cheers,
Al Iverson

-- 
Al Iverson // Wombatmail // Chicago
Deliverability: https://spamresource.com
DNS Tools: https://xnnd.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] I disabled Spamhaus checking due to false-positives

2021-07-17 Thread Tom Ivar Helbekkmo via mailop 
Tim Bray via mailop  writes:

> apt install unbound
>
> It comes configured fairly safely, listening only on localhost.
>
> and edit /etc/resolv.conf to say
>
> nameserver 127.0.0.1
>
> And there isn't much else to it for single machine.  Indeed it is
> quite a good way to bring DNSSEC up to the local machine.

You should also add the line

options edns0

to your /etc/resolv.conf for DNSSEC to work properly.  (See e.g.
https://www.dns-oarc.net/oarc/services/replysizetest for details.)

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop