> It's the only time I have ever seen it abused to be honest. I added the Azure > abuse team so it should get resolved and they responded that they are > escalating it to their CERT team. Plus I am curious what the hell is going on > so I'll ask them to follow-up
Indeed, I should have done that already with the first mail. Thanks for jumping in. > How did you figure out it was the brain dev company Btw? I didn't see the > connection. Also, I think they had a webmail interface up at 52.169.9.191 > and it appears to be offline now. Guessing the abuse team cut the machine off. Good question, I’ll try to remember :) dig -x was non-conclusive, the website just showed a roundcube login. But somehow I got to a „settings“ page which showed IMAP, POP and SMTP servers to configure, with the right hostname, which resolved back to the very IP. > One thing that would be cool is a heat-map/aggregation of the sa-update data > which might also find issues like this but also show useful information like > where our sa-update mirrors are getting used most, identify the actual > aggregated load, etc. Thoughts? I’m very much in favor of aggregating and analyzing data, that’s bascially what we do at dnswl.org <http://dnswl.org/> :) Having said that, I usually don’t see that much load on our sa-update mirror, just a bit of bandwidth being used. It could give us an overview of how / where SpamAssassin is being used, and maybe see how the usage changes over time? Example below (would be sufficient to run on a sample of the logs, when we’re only interested in relative size): # grep "sa-update\/svn" access_log | grep -v "\.tar\.gz " > /tmp/x # cat /tmp/x | cut -d "/" -f 1,7 | sort | uniq | cut -d "/" -f 2 | sort | uniq -c | sort -rn | less 176 3.3.2" 93 3.3.1" 15 3.4.1" 15 3.1.8" 3 3.2.4" 2 3.4.0" 2 3.2.1" 1 3.2.3“ That’s about half a day worth of logs. 3.2.x seems basically dead, but there are still 15 sites using 3.1.8 (oh my). But there are quite a few with user agent <> „sa-update“ (but with curl/wget). — Matthias