Hi, all.
I sometimes see a flurry of attempted connections such as these from the
mail
log:
Jul-11-07 06:38:54 Connected: 58.224.155.140:1176 -> 192.168.0.5:25 ->
192.168.0.1:25
Jul-11-07 06:38:55 c1775 58.224.155.140 <[EMAIL PROTECTED]> invalid
address rejected: [EMAIL PROTECTED]
Jul-11-07 06:38:55 c1775 58.224.155.140 <[EMAIL PROTECTED]> PB:
58.224.155.0 score: 0+20 => 20 reason:InvalidAddress
Jul-11-07 06:38:55 c1775 58.224.155.140 <[EMAIL PROTECTED]> is
disconnected
Jul-11-07 06:39:18 Connected: 201.13.155.169:62523 -> 192.168.0.5:25 ->
192.168.0.1:25
Jul-11-07 06:39:20 c11237 201.13.155.169 <[EMAIL PROTECTED]> invalid
address rejected: [EMAIL PROTECTED]
Jul-11-07 06:39:20 c11237 201.13.155.169 <[EMAIL PROTECTED]> PB:
201.13.155.0 score: 0+20 => 20 reason:InvalidAddress
Jul-11-07 06:39:20 c11237 201.13.155.169 <[EMAIL PROTECTED]> is
disconnected
Jul-11-07 06:39:36 Connected: 217.132.34.104:2006 -> 192.168.0.5:25 ->
192.168.0.1:25
Jul-11-07 06:39:40 c9519 217.132.34.104 <[EMAIL PROTECTED]> invalid address
rejected: [EMAIL PROTECTED]
Jul-11-07 06:39:40 c9519 217.132.34.104 <[EMAIL PROTECTED]> PB: 217.132.34.0
score: 0+20 => 20 reason:InvalidAddress
Jul-11-07 06:39:40 c9519 217.132.34.104 <[EMAIL PROTECTED]> is disconnected
Jul-11-07 06:40:23 Connected: 80.134.183.253:63769 -> 192.168.0.5:25 ->
192.168.0.1:25
Jul-11-07 06:40:25 c2457 80.134.183.253 <[EMAIL PROTECTED]> invalid
address rejected: [EMAIL PROTECTED]
Jul-11-07 06:40:25 c2457 80.134.183.253 <[EMAIL PROTECTED]> PB:
80.134.183.0 score: 0+20 => 20 reason:InvalidAddress
Jul-11-07 06:40:25 c2457 80.134.183.253 <[EMAIL PROTECTED]> is
disconnected
Jul-11-07 06:40:34 Connected: 69.91.44.59:4053 -> 192.168.0.5:25 ->
192.168.0.1:25
Jul-11-07 06:40:34 c14428 69.91.44.59 <[EMAIL PROTECTED]> invalid address
rejected: [EMAIL PROTECTED]
Jul-11-07 06:40:34 c14428 69.91.44.59 <[EMAIL PROTECTED]> PB: 69.91.44.0 score:
0+20 => 20 reason:InvalidAddress
Jul-11-07 06:40:34 Connected: 83.205.139.11:4349 -> 192.168.0.5:25 ->
192.168.0.1:25
Jul-11-07 06:40:34 c14428 69.91.44.59 <[EMAIL PROTECTED]> is disconnected
Jul-11-07 06:40:36 c1233 83.205.139.11 <[EMAIL PROTECTED]> invalid address
rejected: [EMAIL PROTECTED]
Jul-11-07 06:40:36 c1233 83.205.139.11 <[EMAIL PROTECTED]> PB: 83.205.139.0
score: 0+20 => 20 reason:InvalidAddress
Jul-11-07 06:40:36 c1233 83.205.139.11 <[EMAIL PROTECTED]> is disconnected
Jul-11-07 06:42:14 Connected: 122.162.145.177:25488 -> 192.168.0.5:25 ->
192.168.0.1:25
Jul-11-07 06:42:16 c9955 122.162.145.177 <[EMAIL PROTECTED]> invalid
address rejected: [EMAIL PROTECTED]
Jul-11-07 06:42:16 c9955 122.162.145.177 <[EMAIL PROTECTED]> PB:
122.162.145.0 score: 0+20 => 20 reason:InvalidAddress
Jul-11-07 06:42:16 c9955 122.162.145.177 <[EMAIL PROTECTED]> is
disconnected
The messages come from different IP addresses and different senders, but are
the invalid addresses are repeated. Does anyone know of a way to detect a
spam flurry like this in ASSP and add an additional PB score to the
offending sender IP addresses? And just out of curiosity, does anyone know
how the spammers manage to send from such geographically diverse IP
addresses, all to the same invalid address, all within a few minutes?
Regards,
Dave
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
