Even worse...

For a single email account..

133 AUTH attempts per minute..

Fail2ban or something similar can also be a quick remedy, but looks like it is something to actually build a ruleset around..

On 18-02-09 08:41 AM, Michael Peddemors wrote:
Not just those ranges...

EHLO MWHPR01MB2336.prod.exchangelabs.com

Strange that it is on Port 25, and not the submission port..

AUTH, then QUIT..

Rather than blocking the IP(s) you could block connections from that EHLO to port 25..

But of course, the question is 'why'..
I could see it if it was IMAP, but polling SMTP ports is very unusual..

grep prod.exchangelabs.com mail.info | wc -l

That's a lot for two hours on a single server..

On 18-02-09 08:18 AM, Scott Undercofler wrote:
On both systems I run, I would definitely call it extreme. To the point that I am about to block the 12+ ranges the traffic is coming from. We had a 10 fold increase in auth’s the past three days.

I am unsure whats exactly being done with the auth attempts but its not normal.

On Feb 9, 2018, at 8:59 AM, Brotman, Alexander <alexander_brot...@comcast.com> wrote:

Not sure if I'd call it extreme, but a marked increase beginning Feb 6th.

Alex Brotman
Sr. Engineer, Anti-Abuse

-----Original Message-----
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Dan Malm
Sent: Friday, February 09, 2018 3:57 AM
To: mailop@mailop.org
Subject: [mailop] Extreme amounts of SMTP auth from microsoft/outlook IPs


I'm seeing an extreme amount of SMTP authentications (over 600/s) from the microsoft owned range on my customer SMTP servers. It's just auth, with valid credentials, and then it disconnects right after so no attempts to send any mails have been done for the vast majority of these connections. A small amount of valid mails are being sent from this range though. HELO indicates it's from outlook.com. So seems like their system for sending with your own domain through external servers has gone a bit haywire...

I've sent ab...@microsoft.com a mail about it, but I'm a bit curious if anyone else is seeing the same?

BR/Mvh. Dan Malm, Systems Engineer, One.com

mailop mailing list

mailop mailing list

"Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

mailop mailing list

Reply via email to