Re: [IMail Forum] Are we vulnerable

Thu, 08 Apr 2004 15:47:41 -0700 


Turning off the NOBODY alias would be helpful right off. I do not
know a way to dynamically block an IP that hammers you with unwanted
mail but that would be a nice feature..

IMGate/postfix has new a "anvil" feature that SMTP-greets a hammering IP with an immediate "421" and TCP disconnect, effectively immunizing IMGate from attacks.

Hammering IPs qualify for anvil treatment by making x TCP connections in y seconds, eg, 20 connections in 1800 seconds.

One of the IMGate users wrote PERL script to report on anvilled IPs.

====================================================
 Report for: Apr 8 00:01:00 - Apr 8 18:22:33
 smtpd_client_connection_rate_limit = 20
 client_rate_time_unit = 1800
====================================================

Anvil Reject UknUsr Recvd IP Address Hostname
15 0 0 23 12.107.244.100 mail.crossvilleinc.com.
36 103 103 0 12.110.58.10 edge01.ally.com.
6 0 0 20 12.215.107.236 12-215-107-236.client.mchsi.com.
53 70 12 58 12.37.183.151
2 52 0 52 128.164.240.129
50 15 0 30 129.237.172.114
90 60 60 0 148.233.165.38 customer-148-233-165-38.uninet-ide.com.mx.
15 143 92 51 148.8.45.165 dhcp-45-165.matc.edu.
49 20 20 0 151.199.19.219 pool-151-199-19-219.bos.east.verizon.net.
1 1 1 177 161.170.254.40 mailrelay03.walmart.com.
25 20 20 0 168.223.32.170
8 154 151 3 168.223.32.87
27 42 0 39 170.211.174.102
20 20 20 0 172.178.75.194 ACB24BC2.ipt.aol.com.
20 20 20 0 193.91.25.226 host226-25.crowley.pl.
29 21 1 20 194.165.118.49
20 20 20 0 195.116.197.241 nat.tkdami.pl.
14 20 20 0 195.117.151.34
15 0 0 20 198.31.62.30 mta.promotions.proflowers.com.
15 20 20 0 200.168.140.99 200-168-140-99.dsl.telesp.net.br.
20 20 20 0 200.193.8.252
50 80 80 0 200.222.88.254
30 20 20 0 200.52.228.50
20 20 20 0 201.8.11.82 201008011082.user.veloxzone.com.br.
2 28 28 0 202.101.10.208
20 20 20 0 202.133.171.236
10 94 94 0 202.57.162.64
20 20 20 0 202.64.203.188 ip188.bb203.pacific.net.hk.
12 1 1 44 203.121.145.55
5 35 35 0 203.144.201.233 ppp-203.144.201.233.revip.asianet.co.th.
10 20 20 0 203.81.43.228 gamma.sg.gs.
9 21 21 10 204.118.98.29
2 1 1 59 205.152.59.69 imf21aec.mail.bellsouth.net.
39 37 37 41 205.188.156.71 omr-d06.mx.aol.com.
40 40 40 33 205.188.159.13 omr-d07.mx.aol.com.
11 0 0 20 206.14.210.14 post.realtydirect.net.
5 3 3 176 206.16.192.253 mail-ash.bigfish.com.
12 204 204 39 206.181.96.7 dplus.net.
7 0 0 59 206.194.93.240 www.resultsmail.com.
48 78 18 60 207.103.189.116
1 0 0 21 207.106.239.74 spleen.aweber.com.
5 3 3 45 207.14.178.213
1 32 32 0 207.202.131.162
4 16 16 74 207.67.38.40 xtinmta021.exacttarget.com.
7 0 0 49 208.203.151.98 ES.ML-1.NET.
90 6 6 74 208.254.23.66 echo.asce.org.
17 2 2 45 209.11.164.180 mh.cvs.m0.net.
1 0 0 46 209.146.210.212
66 30 0 68 209.178.238.59
1 0 0 30 209.66.67.227 mc.rengall.com.
1 1 1 38 209.68.196.163 cts20968196163.cts.com.
1 20 20 0 210.51.190.102
19 18 13 6 211.147.255.170
19 20 20 0 211.183.64.227
20 20 20 0 211.200.55.165
20 20 20 0 212.129.157.151 lw-aln-1d97.adsl.wanadoo.nl.
20 20 20 0 213.164.167.178
18 19 19 0 213.199.238.110
20 20 20 0 213.7.12.29 B0c1d.b.pppool.de.
30 20 20 0 213.76.212.72 pb72.siedlce.sdi.tpnet.pl.
11 40 22 18 216.107.108.189 216-107-108-189.wan.networktel.net.
152 31 9 21 216.135.192.117 user-vc8fg3l.biz.mindspring.com.
49 20 20 0 216.170.240.55 h216-170-240-55.216-170.unk.tds.net.
1 4 4 101 216.173.237.180 mail26f.sbc-webhosting.com.
15 17 17 64 216.212.0.62 mailserver.birch.net.
1 0 0 161 216.219.109.168 mail.crystalholdings.com.
44 0 0 21 216.37.10.48 www.mail-bots.com.
1 1 1 92 216.37.58.109 mailer.localmedic.com.
22 72 72 21 216.5.17.2
14 0 0 244 216.74.144.14
24 0 0 257 216.74.144.15
1 0 0 43 216.74.144.47 mail7.bestdailydeal.com.
13 1 1 44 216.93.165.66 mailer6.realtimedelivers.com.
20 20 20 0 217.11.254.193 zs-vremizku.casablanca.cz.
40 49 49 1 217.119.231.73
30 20 20 0 217.160.178.187 azstore.co.uk.
33 46 46 0 217.160.248.184 freedom7-corpwebhost.com.
18 20 20 0 217.97.19.145 pa145.krzyz.sdi.tpnet.pl.
17 20 20 0 217.98.89.4 zielinskiego.godula.net.
4 62 62 0 218.104.102.27
100 20 20 0 218.139.110.11 YahooBB218139110011.bbtec.net.
12 96 12 83 218.217.249.82 nets.shinpoly.co.jp.
132 360 360 0 218.38.13.112
5 34 34 3 218.87.173.23
20 20 20 0 219.110.43.94 h219-110-043-094.catv01.itscom.jp.
30 20 20 2 219.133.31.189
30 20 20 0 219.234.95.3
20 20 20 0 220.108.123.45 r123045.ap.plala.or.jp.
17 20 20 0 220.179.49.82
10 20 20 1 220.215.87.180 180.87.215.220.ap.yournet.ne.jp.
20 20 20 0 220.220.171.108 t171108.ap.plala.or.jp.
15 20 20 0 220.72.154.21
3 0 0 22 221.132.30.207 localhost.
10 1 1 19 221.137.247.175
113 104 104 5 221.137.247.192
10 40 40 0 221.140.180.227
20 20 20 0 221.153.211.153
20 20 20 0 24.141.148.38 d141-148-38.home.cgocable.net.
5 0 0 31 24.158.35.250 cpe-24-158-35-250.hky.nc.charter.com.
2 72 72 0 24.173.163.2 rrcs-se-24-173-163-2.biz.rr.com.
16 50 30 28 24.178.80.52
20 20 20 0 24.185.228.125 ool-18b9e47d.dyn.optonline.net.
94 26 8 18 24.199.242.50 rrcs-midsouth-24-199-242-50.biz.rr.com.
43 20 20 0 24.205.55.229 24-205-55-229.gln-eres.charterpipeline.net.
20 20 20 0 24.217.168.180 sc1-24.217.168.180.charter-stl.com.
97 30 30 2 24.241.32.219 cpe-24-241-32-219.hol.nc.charter.com.
20 20 20 0 24.36.1.110
4 20 14 6 24.46.218.145 ool-182eda91.dyn.optonline.net.
18 15 0 20 24.51.23.6 ny-lancastercadent4g4-6a-b-6.buf.adelphia.net.
46 20 20 0 24.54.120.2 pa-lykens1a-a-2.pittpa.adelphia.net.
1 53 53 0 24.54.238.208 ca-vannys-bluewave1a-1-208.vnnyca.adelphia.net.
14 0 0 140 38.112.197.41 mge011.perfge.com.
15 0 0 85 38.112.197.45 mge015.perfge.com.
9 0 0 171 38.112.197.46 mge016.perfge.com.
6 0 0 169 38.112.197.47 mge017.perfge.com.
27 32 32 0 4.15.4.62
38 16 7 28 4.42.21.122 lsanca1-ar51-4-42-021-122.lsanca1.dsl-verizon.net.
1 26 0 32 4.46.233.103 lsanca2-ar25-4-46-233-103.lsanca2.dsl-verizon.net.
4 20 20 0 4.63.108.73 tamqfl1-ar9-4-63-108-073.tamqfl1.dsl-verizon.net.
20 20 20 0 61.102.150.162
20 20 20 0 61.109.66.155
17 20 20 0 61.115.132.234 zaq3d7384ea.zaq.ne.jp.
19 20 20 0 61.139.76.48
3 59 59 0 61.175.219.233
1 0 0 56 61.177.19.85
2 133 133 0 61.185.204.38
16 20 20 0 61.80.153.231
4 14 14 6 62.141.197.52 host-62-141-197-52.swidnica.mm.pl.
20 20 20 0 63.144.229.53
14 40 40 0 63.203.190.181 adsl-63-203-190-181.dsl.lsan03.pacbell.net.
5378 0 0 20 63.225.117.218 www.irmsco.com.
5 0 0 30 63.236.98.97 admin.mdlinx.com.
2 0 0 123 63.251.135.74 ccm01.roving.com.
8 1 1 1 63.77.41.7 mail.citm.com.
6 0 0 210 63.91.143.55 courier.aemcorp.com.
8 0 0 25 64.132.82.66 64-132-82-66.gen.twtelecom.net.
7 60 15 45 64.21.56.23 s23.dial1.fjc.nac.net.
10 0 0 91 64.211.50.36
1 1 1 130 64.211.50.56
20 20 20 0 64.217.27.8 adsl-64-217-27-8.dsl.okcyok.swbell.net.
1 2 2 166 64.253.207.214 mail5.tgtrewards.net.
66 343 14 330 64.26.88.66 dgs.state.md.us.
296 4 4 266 64.4.220.162 64.4.220.162.anet.com.
20 0 0 41 64.70.20.68 ai7.tmvrt.com.
21 117 51 66 64.72.160.202 64-72-160-202.phx.pulvertech.net.
14 0 0 31 64.95.172.8 vip8.onvia.com.
1153 399 177 223 65.26.110.21 CPE-65-26-110-21.kc.rr.com.
1 0 0 62 66.111.231.28 hs231-111-66.ftl-nj.webhostplus.com.
1 24 24 22 66.111.234.13 dwad5.directwebadvertising.net.
89 20 9 0 66.111.61.120 www.freeadultpassport.com.
8 21 10 60 66.162.54.227 66-162-54-227.gen.twtelecom.net.
16 14 0 20 66.215.43.43 66-215-43-43.vv-mres.charterpipeline.net.
63 16 16 328 66.239.204.221
190 126 8 118 66.36.18.210
3 0 0 91 66.45.81.252 lyris.ttla.com.
95 30 5 25 66.47.218.242 user-112vmni.biz.mindspring.com.
16 0 0 22 66.54.140.14 vmail.vemail.net.
11 36 34 6 66.57.204.120
4 20 20 0 66.60.161.214 214.161-60-66-fuji-dsl.dhcp.surewest.net.
68 3 3 42 66.77.218.29 launch5.bluehornet.com.
8 20 1 19 66.9.99.110
75 120 120 0 67.109.250.29
14 36 6 30 67.84.171.122 ool-4354ab7a.dyn.optonline.net.
18 0 0 29 67.95.199.242 ip67-95-199-242.z199-95-67.customer.algx.net.
364 359 0 372 68.113.95.130
31 29 9 20 68.232.76.84 68-232-76-84.chvlva.adelphia.net.
20 20 20 0 68.250.106.21 adsl-68-250-106-21.dsl.toldoh.ameritech.net.
20 20 20 0 68.83.152.204 pcp01983416pcs.tybout01.de.comcast.net.
38 3 3 50 69.1.229.9 mpn1.mpnoffers.net.
20 20 20 1 69.140.35.75 pcp06583470pcs.nrockv01.md.comcast.net.
13 0 0 32 69.148.95.151 ppp-69-148-95-151.dsl.rcsntx.swbell.net.
29 12 12 124 69.46.26.58 mailsd-hv2.superduperspecials.com.
83 19 19 1 69.48.42.20 host-69-48-42-20.ind.choiceone.net.
84 0 0 169 69.56.7.101 mail2.diginit4u.com.
2 0 0 375 69.6.40.160 mail2.mailmmm.com.
4 0 0 21 69.90.123.196 1.fugetabutito.com.
48 0 0 20 80.24.62.106 106.Red-80-24-62.pooles.rima-tde.net.
9 20 20 0 80.33.4.11 11.Red-80-33-4.pooles.rima-tde.net.
18 19 19 0 80.51.31.201
20 20 20 0 80.53.33.206 fh206.internetdsl.tpnet.pl.
16 20 20 0 80.53.44.202 fs202.internetdsl.tpnet.pl.
20 20 20 0 80.53.71.210 gt210.internetdsl.tpnet.pl.
10 44 44 0 80.55.0.78 brama.thyssen-lift.com.pl.
20 20 20 0 80.55.35.26 qj26.internetdsl.tpnet.pl.
6 20 20 0 80.55.89.78 sl78.internetdsl.tpnet.pl.
9 0 0 29 80.87.131.177 pod-177.dolphin-server.co.uk.
20 20 20 0 81.182.75.46 46.75-182-adsl-pool.axelero.hu.
20 20 20 0 81.190.16.116 host-81-190-16-116.torun.mm.pl.
12 20 20 0 81.219.117.42
20 20 20 0 82.139.15.231
20 20 20 0 82.154.123.86
19 18 18 0 82.160.28.131
2 79 31 48 82.161.95.164 leonardfaustle.demon.nl.
5 20 20 0 82.43.168.234 82-43-168-234.cable.ubr05.newm.blueyonder.co.uk.
17 20 20 0 82.49.161.37 host37-161.pool8249.interbusiness.it.
20 20 20 0 83.25.20.221 agz221.neoplus.adsl.tpnet.pl.


Notice how the worst and most numerous hammering IPs are in subscriber networks.

The worst of the worst attackers are web apps that don't relay through mail servers but send mail directly to MXs using a [EMAIL PROTECTED] SMTP client that loops very tightly when 4xx rejected.

Len

_____________________________________________________________________
http://MenAndMice.com/DNS-training : Atlanta; SFO; Denver; NYC
http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites


To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

Reply via email to