Allowed to relay? Otherwise of course, my comment stands.. the ones that
go MX-Direct are usually blocked, but if they relay through the web.de,
per user rate limiters should kick in before it gets to this notable volume.
Everyone IS using per user AUTH rate limiters correct?
No one is still a
Someone inside web.de land got infected with a variant of Gamut spewing
bitcoin extortion scams, and for one reason or other, they routed thru
web.de's mail servers INSTEAD of going MX-direct (perhaps a port 25
redirector).
The raw emails have all the fingerprints of gamut, except that it went
In the 500+ recent hits in my traps from AWS, I don't actually have
anything like this showing up. Perhaps because I'm only capturing full
emails, not just noting SMTP activity. But if you google the domain
and these IPs you can see it's not necessarily new traffic--there are
examples of people ask
I haven't seen that but I do have recent activity from that IP,
examples:
lucy.mxrouting.net: 2021-08-26 09:38:25
H=ec2-18-215-245-250.compute-1.amazonaws.com (cluster-3.mogonodo.com)
[18.215.245.250] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
F= rejected RCPT
safari.mxrouting.net: 2021
I've been seeing a trend from there the last few days as well. More were
filtered successfully than not, but the ones that slipped through all
looked similar:
https://paste.mxrouteapps.com/?0b5071a4b2cb089d#HYSAYYMSheQbYiXCZHMfjaVoqRM7naZiXKPkAK2UHju6
On 2021-08-26 14:36, Michael Peddemors via
82.165.159.12 x5 mout-xforward.gmx.net
82.165.159.13 x7 mout-xforward.gmx.net
82.165.159.14 x5 mout-xforward..gmx.net
82.165.159.2x66 mout-xforward.web.de
82.165.159.3x62 mout-xforward.web.de
82.165.159.34 x68 mout-xforward.web.de
82.165.159.35 x56
Not that specific pattern ;)
But definitely, AWS waters getting dirtier and dirtier..
There are several email validator services, AUTH attackers, and
dictionary attacks coming from the IP space, they quickly get added to
RBL's since there isn't much use reporting them, if there is no
motivati
We've noticed an increase of email scans from AWS IP addresses, they seem to be
testing for variations of the same email:
ec2-18-215-245-250.compute-1.amazonaws.com[18.215.245.250]: 550 5.1.1
ec2-18-215-245-250.compute-1.amazonaws.com[18.215.245.250]: 550 5.1.1
ec2-18-215-245-250.compute-1.a