Not just those ranges... 40.97.117.181

EHLO MWHPR01MB2336.prod.exchangelabs.com

Strange that it is on Port 25, and not the submission port..
Uses STARTTLS..

AUTH, then QUIT..

Rather than blocking the IP(s) you could block connections from that EHLO to port 25..

But of course, the question is 'why'..
I could see it if it was IMAP, but polling SMTP ports is very unusual..

grep prod.exchangelabs.com mail.info | wc -l
27610

That's a lot for two hours on a single server..


On 18-02-09 08:18 AM, Scott Undercofler wrote:
On both systems I run, I would definitely call it extreme. To the point that I 
am about to block the 12+ ranges the traffic is coming from. We had a 10 fold 
increase in auth’s the past three days.

I am unsure whats exactly being done with the auth attempts but its not normal.


On Feb 9, 2018, at 8:59 AM, Brotman, Alexander <alexander_brot...@comcast.com> 
wrote:

Not sure if I'd call it extreme, but a marked increase beginning Feb 6th.

--
Alex Brotman
Sr. Engineer, Anti-Abuse
Comcast


-----Original Message-----
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Dan Malm
Sent: Friday, February 09, 2018 3:57 AM
To: mailop@mailop.org
Subject: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs

Hi

I'm seeing an extreme amount of SMTP authentications (over 600/s) from the 
microsoft owned 40.101.0.0/16 range on my customer SMTP servers.
It's just auth, with valid credentials, and then it disconnects right after so 
no attempts to send any mails have been done for the vast majority of these 
connections. A small amount of valid mails are being sent from this range 
though. HELO indicates it's from outlook.com. So seems like their system for 
sending with your own domain through external servers has gone a bit haywire...

I've sent ab...@microsoft.com a mail about it, but I'm a bit curious if anyone 
else is seeing the same?

--
BR/Mvh. Dan Malm, Systems Engineer, One.com

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop




--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to