On Wed, 25 Jul 2012, Chris Knadle wrote:
What I don't understand about this particular situation is that the IP address
of the attacker is in the RFC 1918 private IP address range (192.168.x.x)
which would make it seem like the attacker is on the local LAN (or via VPN).
2012-07-25 07:09:11 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
Maybe I'm misreading the logs, but isn't 192.168.0.232
the HELO/EHLO address ?
In which case the rogue machine is on a private network belonging
to a broadviewnet customer and somewhere behind 216.214.153.238 ?
That seems like in addition to adding fail2ban, you'd want to find the
offending box and take it offline for antivirus scanning (if possible) because
the "attacker" is probably malware.
Good luck tracking it down.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
[email protected] http://www.dpmms.cam.ac.uk/~werdna
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
