[IMGate] ghba.sh report

[Len Conrad]

I'm really enjoying how anvil gives a new view of SMTP client behavior.

=================================================
  Quantity of anvil blocks per IP
  smtpd_client_connection_rate_limit = 10
  client_rate_time_unit = 1800
=================================================
     24 12.129.205.45    mail3045.flowgo.com.
      8 12.129.205.47    mail3047.flowgo.com.
      3 12.129.205.50    mail3050.flowgo.com.
     56 12.129.205.51    mail3051.flowgo.com.
     13 12.129.205.52    mail3052.flowgo.com.
      1 12.129.205.54    mail3054.flowgo.com.
      2 12.129.205.56    mail3056.flowgo.com.
      3 12.129.205.58    mail3058.flowgo.com.
      8 12.129.205.62    mail3062.flowgo.com.
     13 12.129.205.63    mail3063.flowgo.com.
      1 12.129.205.68    mail3068.flowgo.com.
      8 12.129.205.73    mail3073.flowgo.com.
      2 12.129.205.74    mail3074.flowgo.com.
      9 12.129.205.80    mail3080.flowgo.com.
      1 12.129.205.83    mail3083.flowgo.com.
      9 129.250.156.246  mailer11.webstakes.com.
     16 129.250.156.247  mailer11.astronet.com.
      7 129.250.156.248  mailer21.webstakes.com.
     18 129.250.156.249  mailer21.astronet.com.
     12 157.151.48.209
      4 157.151.53.72
     18 165.193.22.82    mail2.hpinstantshare.com.
      1 198.65.163.25    pacific15.optinmailbox.com.
     10 198.87.25.12     mx02.keen.com.
     83 200.223.214.12   server12.room84.net.
     31 200.223.214.153  server153.blazetrailer.com.
      3 200.62.142.86
      2 200.67.52.15     dsl-200-67-52-15.prod-infinitum.com.mx.
      1 203.125.119.226  bb-203-125-119-226.singnet.com.sg.
      8 203.162.113.40
      2 203.162.165.240
      3 203.203.243.13   u243-13.u203-203.twt1.com.tw.
      5 203.210.210.46   localhost.
      3 203.70.197.64    sw70-197-64.adsl.seed.net.tw.
     11 206.253.7.145    206-253-7-145.client.dsl.net.
     19 206.66.225.177   lyris.aristotle.net.
      3 207.179.158.77   nwcsts09c072.nbnet.nb.ca.
     28 209.210.70.56    mail.everton.com.
      2 213.31.214.132   mx1.ligareltd.com.
     15 216.104.64.156   ip-216-104-64-156.uci.net.
     26 216.108.233.9    q009.q4mail.com.
     12 216.148.222.61   mail-red.bigfish.com.
      2 216.149.223.4    humantorch.emf1.com.
      9 216.171.193.33   fhweb3.ifollowup.com.
      3 216.204.150.26   server-26.atriks.com.
      5 218.1.188.50
      2 218.72.106.75
      8 218.81.180.131
      2 218.81.182.98
      3 219.95.35.119
      5 220.240.226.51   dsl-51.226.240.220.dsl.comindico.com.au.
     10 221.113.117.153  153.117.113.221.ap.yournet.ne.jp.
     10 221.12.89.109
      1 24.0.2.114       c-24-0-2-114.client.comcast.net.
      1 24.130.233.172   c-24-130-233-172.we.client2.attbi.com.
      5 24.145.144.251   user-0c9347r.cable.mindspring.com.
      5 35.11.225.17     user-1f302d.user.msu.edu.
      3 61.178.82.14
     20 61.203.171.129   129.171.203.61.ap.yournet.ne.jp.
     15 61.59.207.173    sw59-207-173.adsl.seed.net.tw.
     15 62.142.73.195    k194.koas.saunalahti.fi.
      3 62.23.200.18     ns.apacabar.fr.
      2 63.237.252.116   116.fdaol.com.
      2 63.251.51.234    callisto.mylonet.com.
      5 64.124.100.57
      3 64.156.187.122   mailer122.gossipflash.com.
      4 64.156.187.125   mailer125.gossipflash.com.
      1 64.156.187.151   mailer151.yourbigvote.com.
      3 64.191.83.93
    171 64.191.94.22     ns1.bringmedeals.net.
    108 64.191.94.26     mx26.bringmedeals.net.
      3 64.201.103.59
      5 64.201.120.245
     17 64.205.141.36
      1 64.251.7.240
      1 64.253.207.244
      4 64.41.183.130    em1.proffiliates.com.
      9 64.62.133.205
      3 64.70.17.132
     20 64.70.17.137
      4 64.70.17.138
     16 64.70.17.139
      2 64.70.17.141
      8 64.70.17.142
      9 64.70.17.67
      9 64.70.17.73
     17 64.70.17.74
     16 64.70.17.75
     23 64.70.17.76
      5 64.70.17.77
     10 64.70.17.78
     12 64.70.53.134
      5 64.70.53.136
      5 64.70.53.139
     22 64.70.53.140
      1 64.70.53.142
     14 64.73.35.115     cliff.myweather.net.
      1 64.95.116.103    mercury.netoes.com.
      1 64.95.116.104    venus.netoes.com.
      1 64.95.116.111    pluto.netoes.com.
     65 65.110.58.20     unknown.sagonet.net.
      6 65.121.78.26     sender3.overstock.com.
      7 65.127.244.65    lists.afa.net.
     15 65.210.136.195
     17 65.210.136.197
     15 65.210.136.199
     39 65.210.136.227
      8 65.210.136.228
      1 65.210.136.229
    177 65.210.136.230
     19 65.210.136.231
      3 65.60.49.54      54.ctymail.com.
      3 65.60.49.55      55.ctymail.com.
      7 65.60.49.56      56.ctymail.com.
      1 66.111.234.105   ais2.americaninternetsurveys.com.
      3 66.111.234.106   ais3.americaninternetsurveys.com.
      2 66.111.254.227   dee227.sillydeer.com.
     10 66.114.254.18    66-114-254-18.quadramastersymbol.com.
      1 66.117.21.18     host18.try4free.net.
      1 66.117.21.20     host20.try4free.net.
      1 66.117.22.243    host243.winnersdaily.net.
      1 66.117.22.244    host244.winnersdaily.net.
      1 66.117.28.142    host142.approveddeals.com.
      1 66.117.30.126    host126.samplesdirect.net.
      8 66.148.68.11     server11.enter7.com.
      1 66.151.41.187    consumer-marketplace.com.
     17 66.151.41.202    consumer-marketplace.com.
     14 66.151.41.3      consumer-marketplace.com.
      4 66.161.18.228
      2 66.179.69.28     mta028.sdm3.com.
      1 66.239.204.129
      4 66.239.204.133   newd3.sm66.com.
      1 66.239.205.115   offd15.cw69.com.
      2 66.43.18.39      lists7.rootsweb.com.
      4 66.54.68.136     136.68.54.66.in-addr.arpa.
      6 66.55.165.16
     19 66.55.165.17
      7 66.55.165.18
     20 66.55.165.19
     16 66.55.165.20
      6 66.55.165.21
      6 66.55.165.23     ed1.ldirct.com.
     12 66.55.167.131
     23 66.55.167.148
     12 66.55.167.149
      9 66.55.167.150
     14 66.55.167.151
     17 66.55.167.152
     16 66.55.167.154
      8 66.55.167.183
      7 66.55.167.185
      4 66.55.167.186
      4 66.55.167.187
      4 66.55.167.189
      8 66.55.167.190
      4 66.55.169.112
      7 66.55.169.84
     16 66.55.169.98
     40 67.108.25.121    67-108-25-121.hopebytheorange.com.
      4 67.108.25.122    67-108-25-122.hopebytheorange.com.
     83 67.108.25.125    67-108-25-125.hopebytheorange.com.
     34 67.108.25.126    67-108-25-126.hopebytheorange.com.
     78 67.108.25.129    67-108-25-129.hopebytheorange.com.
     26 67.108.25.130    67-108-25-130.hopebytheorange.com.
     31 68.184.59.215    HPPAV.cpe.alex.al.charter.com.
      8 68.220.231.214   adsl-220-231-214.bhm.bellsouth.net.
      3 68.237.31.221    pool-68-237-31-221.ny325.east.verizon.net.
     15 68.66.97.78      ca-buenaprk-cuda2-c4b-78.anhmca.adelphia.net.
      5 68.88.78.149     adsl-68-88-78-149.dsl.rcsntx.swbell.net.
     15 69.1.234.52
     15 69.1.234.53
     16 69.1.234.54
     31 69.1.234.55
      1 69.56.49.137     mail9.blmngp.com.
      1 69.56.49.143     mail14.blmngp.com.
     41 69.59.179.166    mx1.luckydogsweepstakes.com.179.59.69.in-addr.arpa.
     15 69.59.179.95     mailer1.realtimemail2.com.
      1 69.6.60.10       mx10.topofferz.net.
      3 69.6.60.8        mx8.topofferz.net.
      2 69.60.98.41      69-60-98-41.bestemaildeals.net.
     70 80.179.103.90    80.179.103.90.forward.012.net.il.
      3 81.111.181.12    spc2-hava1-3-0-cust12.cosh.broadband.ntl.com.
      3 83.154.163.181   dyn-83-154-163-181.ppp.tiscali.fr.


of course, many of these IPs would have been blocked by smtpd restrictions 
anyway, but it sure helps to see how they bad guys keep coming back at high 
rates.  The report also helps you decide whether a suspect sender is acting 
badly, so you can put them in a restriction.