Re: Geofencing

2023-11-16 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 


thanks for the insite, being an ISP I like this kind of info even if it 
is off topic a bit on the dovecot mail lists, security today is up there 
with opertional stuff.



Have A Happy Thursday !!!

Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 2023-11-16 5:31 p.m., Jochen Bern wrote:

On 16.11.23 16:56, Paul Kudla wrote:
the ip that triggered all this says it is allocated from NL 
(Neatherlands) but physicaly exists in Hawii ?


As someone working for a LIR, let me clarify a couple things:

IPs get assigned to organizations. The registered contacts may well be 
that organization's main offices on one continent while the hardware 
actually using those addresses is located someplace different - and the 
users whose traffic gets its public IP from that hardware could well be 
in a third.


If we were also an upstream provider operating in several nations, we 
would not be obliged to use separate IP ranges for (the customers in) 
different nations, or to register such information with the RIR, much 
less making it public.


One of our customers uses the services of ZScaler to access the 
Internet, and thus a service where we maintain a whitelist of client IPs 
that may connect. Every now and then, "their" IPs will change from, 
e.g., a range assigned to "ZScaler Düsseldorf", to one designated 
"ZScaler Zürich", to "ZScaler Frankfurt", etc., while our actual 
customer doesn't move more than whatever amount the keycaps on his 
keyboard need to travel.


Having that said, there are people trying to *second guess* the actual 
location behind an IP address, from Google (ever wondered why, when you 
open Google Maps, it usually *happens* to show the place you're in?) to 
https://www.maxmind.com/en/solutions/ip-geolocation-databases-api-services to hobbyists, and there are software frameworks to make services geofenced or location aware (e.g., there are packages "GeoIP" and "plasma-workspace-geolocation" installed on my laptop apparently right off the bat). And yes, there might easily be no info for an IP you look up, or some that's plain wrong.


And *then* there are things like Anycast or BGP hijacking or VPN 
services to obscure one's origin or ...


Kind regards,

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Geofencing (was: Anyone Watching Actvity from this network? ...)

2023-11-16 Thread Jochen Bern 

On 16.11.23 16:56, Paul Kudla wrote:
the ip that triggered all this says it is allocated from NL 
(Neatherlands) but physicaly exists in Hawii ?


As someone working for a LIR, let me clarify a couple things:

IPs get assigned to organizations. The registered contacts may well be 
that organization's main offices on one continent while the hardware 
actually using those addresses is located someplace different - and the 
users whose traffic gets its public IP from that hardware could well be 
in a third.


If we were also an upstream provider operating in several nations, we 
would not be obliged to use separate IP ranges for (the customers in) 
different nations, or to register such information with the RIR, much 
less making it public.


One of our customers uses the services of ZScaler to access the 
Internet, and thus a service where we maintain a whitelist of client IPs 
that may connect. Every now and then, "their" IPs will change from, 
e.g., a range assigned to "ZScaler Düsseldorf", to one designated 
"ZScaler Zürich", to "ZScaler Frankfurt", etc., while our actual 
customer doesn't move more than whatever amount the keycaps on his 
keyboard need to travel.


Having that said, there are people trying to *second guess* the actual 
location behind an IP address, from Google (ever wondered why, when you 
open Google Maps, it usually *happens* to show the place you're in?) to 
https://www.maxmind.com/en/solutions/ip-geolocation-databases-api-services 
to hobbyists, and there are software frameworks to make services 
geofenced or location aware (e.g., there are packages "GeoIP" and 
"plasma-workspace-geolocation" installed on my laptop apparently right 
off the bat). And yes, there might easily be no info for an IP you look 
up, or some that's plain wrong.


And *then* there are things like Anycast or BGP hijacking or VPN 
services to obscure one's origin or ...


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

RE: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread J. de Meijer via dovecot 
> Any traffic that is not your client's, is unwanted. I have never ever had
> some scanning company called me, saying 'here you have 100 us$ because we
> used your data' or 'here are some tips to configure this better'.
> If someone is scanning you, it is always in their advantage not yours, no
> santa clauses on the internet ;)

Actually, there are. The Dutch Institute for Vulnerability Disclosure
(https://www.divd.nl/) for instance. They scan the internet for known
vulnerabilities and contact vulnerable companies to notify them.
To ease their work they have strongly promoted the use of security.txt
(https://datatracker.ietf.org/doc/html/rfc9116) which is now mandatory for
government in the Netherlands.

It is completely run by volunteers, purely with the aim to make the
internet safer. Don't know if any of the volunteers is called Claus, but
you can call them saints :).

Regards.

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Brendan Kearney 
On 11/16/23 10:56 AM, Paul Kudla wrote:

 Ok a few things about IP blocks

 If they are portable they can move from country to country ??

 without any real notice.

 the ip that triggered all this says it is allocated from NL
 (Neatherlands) but physicaly exists in Hawii ?

 No list will ever be 100% acurate

 I did find this link that displays by country but then you have to
 click the country understanding that some sub nets are split out by
 class "A" / "B" & "C"

 A whole class "A" for example can be split into many subclasses thus
 point difference ranges to different countries.

 https://www.nirsoft.net/countryip/

 maybe write a python program to grab and make a table of ip addresses
 ?

 it has a link to download a csv so some kind of loop striping out the
 country links would probably be ok and then download the csv file and
 create a full csv file.

 then use that for your firewall keeping in mind it needs to be
 updated regularly.

 I did look around as arin net is responsible for all of this but
 could not find a list there either.

 https://www.arin.net/reference/

 Airn Net is mainly responsible for allocating blocks but not really
 responsible for where they might get used.

 same with other whois databases around the globe.

 also note IPV6 is also out there now and adds a whole new layer to
 all of this.






 Have A Happy Thursday !!!

 Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


 Scom.ca Internet Services 
 004-1009 Byron Street South
 Whitby, Ontario - Canada
 L1N 4S3

 Toronto 416.642.7266
 Main 1.866.411.7266
 Fax 1.888.892.7266
 Email p...@scom.ca

 On 11/16/2023 9:31 AM, Brendan Kearney wrote:
  On 11/16/23 9:05 AM, Nick Lockheart wrote:
   Are there publicly available lists of IP ranges
   by region?

   There's no reason for any IP outside of North
   America to be contacting Postfix
   on Submission (587) or IMAP, since these are
   employee only services.

   If not for mobile phones, we could really close
   it off.


   On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla
   wrote:

     Good day to all .

     Just adding to the conversation with how I
   had to deal with this
     years ago.

     Basically hacks to any server are an issue
   today but it is cat &
     mouse
     trying to track all of this.

     That being said using the reported ip
   address below, I patched
     postfix
     to log the ip address in one syslog pass
   (to id the sasl user account
     +
     ip etc)

     Along with the above dovecot logging is
   verbose (dovecot already does

     all access in one line - ie ip address,
   username (email address) etc)

     combining the two I run my own ip address
   firewall tracking system
     based
     on the syslogging in real time.

     For Example :

    
   
__

     # ipinfo 104.156.155.21

     IP Status for   :
   104.156.155.21

     IP Status : IPv4
     NS Lookup (Forward) :
   104.156.155.21
     NS Lookup (Reverse) : None

     IP Blacklisted Status   : Found
   104.156.155. for
     104.156.155.21
     [D] {Asterisk}
     Last Program    : sshd

     Ip Location Info for    :
   104.156.155.21

     No Ip Information Found

     (ie ip location lookup failed / does not
   exist for this ip ?)

    
   
__

     basically the ip address block was found in
   my firewall so something,

     someone etc has tried to hack one of my
   servers

     in the case of scom.ca i run an asterisk
   server and since the
     asterisk
     is noted someone tried hacking that one as
   well.

     Basically i run a database that tracks and
   updates all firewall in
     real
    

Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Paul Kudla 


Ok a few things about IP blocks

If they are portable they can move from country to country ??

without any real notice.

the ip that triggered all this says it is allocated from NL 
(Neatherlands) but physicaly exists in Hawii ?


No list will ever be 100% acurate

I did find this link that displays by country but then you have to click 
the country understanding that some sub nets are split out by class "A" 
/ "B" & "C"


A whole class "A" for example can be split into many subclasses thus 
point difference ranges to different countries.


https://www.nirsoft.net/countryip/

maybe write a python program to grab and make a table of ip addresses ?

it has a link to download a csv so some kind of loop striping out the 
country links would probably be ok and then download the csv file and 
create a full csv file.


then use that for your firewall keeping in mind it needs to be updated 
regularly.


I did look around as arin net is responsible for all of this but could 
not find a list there either.


https://www.arin.net/reference/

Airn Net is mainly responsible for allocating blocks but not really 
responsible for where they might get used.


same with other whois databases around the globe.

also note IPV6 is also out there now and adds a whole new layer to all 
of this.







Have A Happy Thursday !!!

Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 11/16/2023 9:31 AM, Brendan Kearney wrote:

On 11/16/23 9:05 AM, Nick Lockheart wrote:

Are there publicly available lists of IP ranges by region?

There's no reason for any IP outside of North America to be contacting 
Postfix

on Submission (587) or IMAP, since these are employee only services.

If not for mobile phones, we could really close it off.


On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:

  Good day to all .

  Just adding to the conversation with how I had to deal with this
  years ago.

  Basically hacks to any server are an issue today but it is cat &
  mouse
  trying to track all of this.

  That being said using the reported ip address below, I patched
  postfix
  to log the ip address in one syslog pass (to id the sasl user 
account

  +
  ip etc)

  Along with the above dovecot logging is verbose (dovecot already 
does


  all access in one line - ie ip address, username (email address) 
etc)


  combining the two I run my own ip address firewall tracking system
  based
  on the syslogging in real time.

  For Example :

  
__


  # ipinfo 104.156.155.21

  IP Status for   : 104.156.155.21

  IP Status : IPv4
  NS Lookup (Forward) : 104.156.155.21
  NS Lookup (Reverse) : None

  IP Blacklisted Status   : Found 104.156.155. for
  104.156.155.21
  [D] {Asterisk}
  Last Program    : sshd

  Ip Location Info for    : 104.156.155.21

  No Ip Information Found

  (ie ip location lookup failed / does not exist for this ip ?)

  
__


  basically the ip address block was found in my firewall so 
something,


  someone etc has tried to hack one of my servers

  in the case of scom.ca i run an asterisk server and since the
  asterisk
  is noted someone tried hacking that one as well.

  Basically i run a database that tracks and updates all firewall in
  real
  time.

  Running FreeBSD I use PF and asterisk is linux based so i use the
  iptables and update every 10 minutes.

  Only time now a days I get involved if a customer calls and 
complains


  they are not getting emails etc ...

  That happens a few times a year.

  Again just an FYI

  This reply was more to indicate all email servers (and anything
  attached
  to the internet) really need to run some sort of automated ip
  firewall
  when username password hacks occur, no reverse ip address etc 
etc etc



  Food for thought.


  Have A Happy Thursday !!!

  Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


  Scom.ca Internet Services 
  004-1009 Byron Street South
  Whitby, Ontario - Canada
  L1N 4S3

  Toronto 416.642.7266
  Main 1.866.411.7266
  Fax 1.888.892.7266
  Email p...@scom.ca

  On 11/15/2023 5:53 PM, Simon B wrote:


   On Wed, 15 Nov 2023, 23:25 Michael Peddemors,
    wrote:
     There is a network claiming to be a security company,
   however the
     activity appears to be a little more malicious, and
   appears to

Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Richard Siddall 

Brendan Kearney wrote:


i have some rather old IpToCountry.csv files from a now defunct site. it 
mapped IP allocations to country and included the RIR, date assigned, 
etc.  this data is a few years old as the site was taken down and there 
is probably a lot of new or updated info.  a GeoDB subscription may be 
useful in the case you are looking at.


brendan



FWIW, if you look at 
https://github.com/milter-regex/milter-regex/blob/main/milter-regex-ip-prep.c 
it says you can "Download IP address allocation lists from the RIR ( 
Regional Internet Registry )


ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-latest
ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest;
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

RE: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Marc 
And what if someone is on vacation? You can also use dnsbl on your submission, 
that helps a lot.

> 
> Are there publicly available lists of IP ranges by region?
>
> There's no reason for any IP outside of North America to be contacting
> Postfix on Submission (587) or IMAP, since these are employee only
> services.
>
> If not for mobile phones, we could really close it off.
> 
> 
> On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
> >
> > Good day to all .
> >
> > Just adding to the conversation with how I had to deal with this
> > years ago.
> >
> > Basically hacks to any server are an issue today but it is cat &
> > mouse
> > trying to track all of this.
> >
> > That being said using the reported ip address below, I patched
> > postfix
> > to log the ip address in one syslog pass (to id the sasl user account
> > +
> > ip etc)
> >
> > Along with the above dovecot logging is verbose (dovecot already does
> > all access in one line - ie ip address, username (email address) etc)
> >
> > combining the two I run my own ip address firewall tracking system
> > based
> > on the syslogging in real time.
> >
> > For Example :
> >
> > _
> > _
> >
> > # ipinfo 104.156.155.21
> >
> > IP Status for   : 104.156.155.21
> >
> > IP Status : IPv4
> > NS Lookup (Forward) : 104.156.155.21
> > NS Lookup (Reverse) : None
> >
> > IP Blacklisted Status   : Found 104.156.155. for
> > 104.156.155.21
> > [D] {Asterisk}
> > Last Program    : sshd
> >

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Brendan Kearney 

On 11/16/23 9:05 AM, Nick Lockheart wrote:

Are there publicly available lists of IP ranges by region?

There's no reason for any IP outside of North America to be contacting Postfix
on Submission (587) or IMAP, since these are employee only services.

If not for mobile phones, we could really close it off.


On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:

  Good day to all .

  Just adding to the conversation with how I had to deal with this
  years ago.

  Basically hacks to any server are an issue today but it is cat &
  mouse
  trying to track all of this.

  That being said using the reported ip address below, I patched
  postfix
  to log the ip address in one syslog pass (to id the sasl user account
  +
  ip etc)

  Along with the above dovecot logging is verbose (dovecot already does

  all access in one line - ie ip address, username (email address) etc)

  combining the two I run my own ip address firewall tracking system
  based
  on the syslogging in real time.

  For Example :

  __

  # ipinfo 104.156.155.21

  IP Status for   : 104.156.155.21

  IP Status : IPv4
  NS Lookup (Forward) : 104.156.155.21
  NS Lookup (Reverse) : None

  IP Blacklisted Status   : Found 104.156.155. for
  104.156.155.21
  [D] {Asterisk}
  Last Program    : sshd

  Ip Location Info for    : 104.156.155.21

  No Ip Information Found

  (ie ip location lookup failed / does not exist for this ip ?)

  __

  basically the ip address block was found in my firewall so something,

  someone etc has tried to hack one of my servers

  in the case of scom.ca i run an asterisk server and since the
  asterisk
  is noted someone tried hacking that one as well.

  Basically i run a database that tracks and updates all firewall in
  real
  time.

  Running FreeBSD I use PF and asterisk is linux based so i use the
  iptables and update every 10 minutes.

  Only time now a days I get involved if a customer calls and complains

  they are not getting emails etc ...

  That happens a few times a year.

  Again just an FYI

  This reply was more to indicate all email servers (and anything
  attached
  to the internet) really need to run some sort of automated ip
  firewall
  when username password hacks occur, no reverse ip address etc etc etc


  Food for thought.


  Have A Happy Thursday !!!

  Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


  Scom.ca Internet Services 
  004-1009 Byron Street South
  Whitby, Ontario - Canada
  L1N 4S3

  Toronto 416.642.7266
  Main 1.866.411.7266
  Fax 1.888.892.7266
  Email p...@scom.ca

  On 11/15/2023 5:53 PM, Simon B wrote:


   On Wed, 15 Nov 2023, 23:25 Michael Peddemors,
wrote:
     There is a network claiming to be a security company,
   however the
     activity appears to be a little more malicious, and
   appears to be
     attempting buffer overflows against POP-SSL
   services.. (and other
     attacks).

     https://www.abuseipdb.com/check/104.156.155.21

     Just thought it would be worth mentioning, you might
   want to keep an
     eye
     out for traffic from this company...

     Might want to make up your own mind, or maybe someone
   has more
     information, but enough of a red flag, that thought
   it warranted
     posting
     on the list.

     Not sure yet if it is Dovecot, or the SSL libraries
   they are
     attempting
     to break, but using a variety of SSL/TLS methods and
   connections...

   They are not interested in dovecot per se.  They scan for
   TLS vulnerabilities,
   mostly.

     Anyone with more information?

     NetRange:       104.156.155.0 - 104.156.155.255
     CIDR:           104.156.155.0/24
     NetName:        ACDRESEARCH
     NetHandle:      NET-104-156-155-0-1
     Parent:         NET104 (NET-104-0-0-0-0)
     NetType:        Direct Allocation
     OriginAS:
     Organization:   Academy of Internet Research Limited
   Liability
     Company
     (AIRLL)
     RegDate:        2022-01-07
     Updated:        2022-01-07
     Ref:            https://rdap.arin.net/registry/ip/

Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Nick Lockheart 

Are there publicly available lists of IP ranges by region?

There's no reason for any IP outside of North America to be contacting Postfix
on Submission (587) or IMAP, since these are employee only services.

If not for mobile phones, we could really close it off.


On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:

 Good day to all .

 Just adding to the conversation with how I had to deal with this
 years ago.

 Basically hacks to any server are an issue today but it is cat &
 mouse
 trying to track all of this.

 That being said using the reported ip address below, I patched
 postfix
 to log the ip address in one syslog pass (to id the sasl user account
 +
 ip etc)

 Along with the above dovecot logging is verbose (dovecot already does

 all access in one line - ie ip address, username (email address) etc)

 combining the two I run my own ip address firewall tracking system
 based
 on the syslogging in real time.

 For Example :

 __

 # ipinfo 104.156.155.21

 IP Status for   : 104.156.155.21

 IP Status : IPv4
 NS Lookup (Forward) : 104.156.155.21
 NS Lookup (Reverse) : None

 IP Blacklisted Status   : Found 104.156.155. for
 104.156.155.21
 [D] {Asterisk}
 Last Program    : sshd

 Ip Location Info for    : 104.156.155.21

 No Ip Information Found

 (ie ip location lookup failed / does not exist for this ip ?)

 __

 basically the ip address block was found in my firewall so something,

 someone etc has tried to hack one of my servers

 in the case of scom.ca i run an asterisk server and since the
 asterisk
 is noted someone tried hacking that one as well.

 Basically i run a database that tracks and updates all firewall in
 real
 time.

 Running FreeBSD I use PF and asterisk is linux based so i use the
 iptables and update every 10 minutes.

 Only time now a days I get involved if a customer calls and complains

 they are not getting emails etc ...

 That happens a few times a year.

 Again just an FYI

 This reply was more to indicate all email servers (and anything
 attached
 to the internet) really need to run some sort of automated ip
 firewall
 when username password hacks occur, no reverse ip address etc etc etc


 Food for thought.


 Have A Happy Thursday !!!

 Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


 Scom.ca Internet Services 
 004-1009 Byron Street South
 Whitby, Ontario - Canada
 L1N 4S3

 Toronto 416.642.7266
 Main 1.866.411.7266
 Fax 1.888.892.7266
 Email p...@scom.ca

 On 11/15/2023 5:53 PM, Simon B wrote:


  On Wed, 15 Nov 2023, 23:25 Michael Peddemors,
   wrote:
    There is a network claiming to be a security company,
  however the
    activity appears to be a little more malicious, and
  appears to be
    attempting buffer overflows against POP-SSL
  services.. (and other
    attacks).

    https://www.abuseipdb.com/check/104.156.155.21

    Just thought it would be worth mentioning, you might
  want to keep an
    eye
    out for traffic from this company...

    Might want to make up your own mind, or maybe someone
  has more
    information, but enough of a red flag, that thought
  it warranted
    posting
    on the list.

    Not sure yet if it is Dovecot, or the SSL libraries
  they are
    attempting
    to break, but using a variety of SSL/TLS methods and
  connections...

  They are not interested in dovecot per se.  They scan for
  TLS vulnerabilities,
  mostly.

    Anyone with more information?

    NetRange:       104.156.155.0 - 104.156.155.255
    CIDR:           104.156.155.0/24
    NetName:        ACDRESEARCH
    NetHandle:      NET-104-156-155-0-1
    Parent:         NET104 (NET-104-0-0-0-0)
    NetType:        Direct Allocation
    OriginAS:
    Organization:   Academy of Internet Research Limited
  Liability
    Company
    (AIRLL)
    RegDate:        2022-01-07
    Updated:        2022-01-07
    Ref:            https://rdap.arin.net/registry/ip/
  104.156.155.0


    OrgName:        Academy of Internet Research Limited
  Liability
    Company
    OrgId: 

Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Paul Kudla 


Good day to all .

Just adding to the conversation with how I had to deal with this years ago.

Basically hacks to any server are an issue today but it is cat & mouse 
trying to track all of this.


That being said using the reported ip address below, I patched postfix 
to log the ip address in one syslog pass (to id the sasl user account + 
ip etc)


Along with the above dovecot logging is verbose (dovecot already does 
all access in one line - ie ip address, username (email address) etc)


combining the two I run my own ip address firewall tracking system based 
on the syslogging in real time.


For Example :

__

# ipinfo 104.156.155.21

IP Status for   : 104.156.155.21

IP Status : IPv4
NS Lookup (Forward) : 104.156.155.21
NS Lookup (Reverse) : None

IP Blacklisted Status   : Found 104.156.155. for 104.156.155.21 
[D] {Asterisk}

Last Program: sshd

Ip Location Info for: 104.156.155.21

No Ip Information Found

(ie ip location lookup failed / does not exist for this ip ?)

__

basically the ip address block was found in my firewall so something, 
someone etc has tried to hack one of my servers


in the case of scom.ca i run an asterisk server and since the asterisk 
is noted someone tried hacking that one as well.


Basically i run a database that tracks and updates all firewall in real 
time.


Running FreeBSD I use PF and asterisk is linux based so i use the 
iptables and update every 10 minutes.


Only time now a days I get involved if a customer calls and complains 
they are not getting emails etc ...


That happens a few times a year.

Again just an FYI

This reply was more to indicate all email servers (and anything attached 
to the internet) really need to run some sort of automated ip firewall 
when username password hacks occur, no reverse ip address etc etc etc



Food for thought.


Have A Happy Thursday !!!

Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 11/15/2023 5:53 PM, Simon B wrote:



On Wed, 15 Nov 2023, 23:25 Michael Peddemors,  wrote:
  There is a network claiming to be a security company, however the
  activity appears to be a little more malicious, and appears to be
  attempting buffer overflows against POP-SSL services.. (and other
  attacks).

  https://www.abuseipdb.com/check/104.156.155.21

  Just thought it would be worth mentioning, you might want to keep an
  eye
  out for traffic from this company...

  Might want to make up your own mind, or maybe someone has more
  information, but enough of a red flag, that thought it warranted
  posting
  on the list.

  Not sure yet if it is Dovecot, or the SSL libraries they are
  attempting
  to break, but using a variety of SSL/TLS methods and connections...

They are not interested in dovecot per se.  They scan for TLS vulnerabilities,
mostly.

  Anyone with more information?

  NetRange:       104.156.155.0 - 104.156.155.255
  CIDR:           104.156.155.0/24
  NetName:        ACDRESEARCH
  NetHandle:      NET-104-156-155-0-1
  Parent:         NET104 (NET-104-0-0-0-0)
  NetType:        Direct Allocation
  OriginAS:
  Organization:   Academy of Internet Research Limited Liability
  Company
  (AIRLL)
  RegDate:        2022-01-07
  Updated:        2022-01-07
  Ref:            https://rdap.arin.net/registry/ip/104.156.155.0


  OrgName:        Academy of Internet Research Limited Liability
  Company
  OrgId:          AIRLL
  Address:        #A1- 5436
  Address:        1110 Nuuanu Ave
  City:           Honolulu
  StateProv:      HI
  PostalCode:     96817
  Country:        US
  RegDate:        2021-10-15
  Updated:        2022-11-06
  Ref:            https://rdap.arin.net/registry/entity/AIRLL

  --

See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly
reputable, all of them supposedly with opt-out mechanisms, and all of them are
blocked for not asking permission.


Ymmv.

Regards

Simon




___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

RE: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Marc 
Any traffic that is not your client's, is unwanted. I have never ever had some 
scanning company called me, saying 'here you have 100 us$ because we used your 
data' or 'here are some tips to configure this better'. 
If someone is scanning you, it is always in their advantage not yours, no santa 
clauses on the internet ;)


> 
> >  Not sure yet if it is Dovecot, or the SSL libraries they are
> >  attempting
> >  to break, but using a variety of SSL/TLS methods and connections...
> >
> > They are not interested in dovecot per se.  They scan for TLS
> vulnerabilities,
> > mostly.
> 
> They're running  comprehensive port scans, so they're targeting more
> than just SSL
> services.
> 
> >  OrgName:Academy of Internet Research Limited Liability
> >  Company
> >  OrgId:  AIRLL
> >  Address:#A1- 5436
> >  Address:1110 Nuuanu Ave
> >  City:   Honolulu
> >  StateProv:  HI
> >  PostalCode: 96817
> >  Country:US
> 
> Out of business virtual offices, naturally.
> 
> AIRLL also operating out of 195.96.137.0/24.
> 
> Joseph Tam 
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org