-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 2015-10-21 at 08:51 -0700, Spam Auditor wrote:
> Sounds like the AUTH-FAIL attack, which we have seen operating on
> Windows machines, eg mailcracker.exe.
No attempt at auth:
<-- EHLO [2.50.185.146]
--> 250 ...
<-- MAIL FROM: <Randolph.Hensley@> BODY=7BIT
--> 553 5.1.3 <Randolph.Hensley@>... Hostname required
<-- RCPT TO:<MUNGED-ADDRESS>
--> 503 5.0.0 Need MAIL before RCPT
> > I don't know if this is possible with milter, but could you setup a
> block
> > rule that logs ips for a deny afterwards?
> > IE. Sort of like a greylist but the opposite effect.
Not really worth it in this case, since the ips are widely distributed,
and each ip only tried about 1.5 times on average.
attempts, ip address:
1 101.59.238.59
1 105.210.98.245
2 106.245.190.88
2 109.100.87.30
2 115.78.128.20
5 115.95.64.142
2 118.179.227.47
2 12.108.159.218
2 121.137.178.101
2 12.181.152.58
1 12.186.177.218
1 123.136.164.157
2 125.16.0.198
1 173.200.58.42
2 181.39.249.99
3 181.39.57.146
1 181.64.143.233
1 188.48.18.21
2 196.207.233.32
6 199.189.115.239
2 203.167.214.38
2 204.197.193.148
1 2.50.139.193
1 2.50.185.146
1 2.50.36.149
2 2.90.114.214
1 37.230.78.155
2 59.60.4.117
1 69.18.44.161
2 76.72.246.234
1 80.248.199.150
2 81.213.77.212
1 84.78.8.198
1 85.187.246.14
1 89.120.95.9
1 90.169.26.102
1 92.247.255.127
1 93.168.94.74
2 94.98.193.229
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlYnt88ACgkQL6j7milTFsHfFwCfXLRycJBxSfcsgV9cbgBWUWgq
fokAn34ySdZQv/ctgxKBZIDWIWOZ4tBT
=Pzh6
-----END PGP SIGNATURE-----
_______________________________________________
mailop mailing list
[email protected]
http://chilli.nosignal.org/mailman/listinfo/mailop
