Within the last 2 weeks I've had several ISP customers in CA ask me about
enacting policy that tracks and blocks this kind of behavior. It's
something they've seen an increase of as of late and when considering the
uptick in spam coming from these same ranges, the attitude seems to be
"just block it". It's already written it up but I'm dragging my feet on
deploying because in most cases these IPs are already getting blocked by
other policies or don't have PTR's associated so they're already getting
squeezed pretty well.


On Fri, Feb 9, 2018 at 9:52 AM, Michael Peddemors <mich...@linuxmagic.com>
wrote:

> Even worse...
>
> For a single email account..
>
> 133 AUTH attempts per minute..
>
> Fail2ban or something similar can also be a quick remedy, but looks like
> it is something to actually build a ruleset around..
>
>
> On 18-02-09 08:41 AM, Michael Peddemors wrote:
>
>> Not just those ranges... 40.97.117.181
>>
>> EHLO MWHPR01MB2336.prod.exchangelabs.com
>>
>> Strange that it is on Port 25, and not the submission port..
>> Uses STARTTLS..
>>
>> AUTH, then QUIT..
>>
>> Rather than blocking the IP(s) you could block connections from that EHLO
>> to port 25..
>>
>> But of course, the question is 'why'..
>> I could see it if it was IMAP, but polling SMTP ports is very unusual..
>>
>> grep prod.exchangelabs.com mail.info | wc -l
>> 27610
>>
>> That's a lot for two hours on a single server..
>>
>>
>> On 18-02-09 08:18 AM, Scott Undercofler wrote:
>>
>>> On both systems I run, I would definitely call it extreme. To the point
>>> that I am about to block the 12+ ranges the traffic is coming from. We had
>>> a 10 fold increase in auth’s the past three days.
>>>
>>> I am unsure whats exactly being done with the auth attempts but its not
>>> normal.
>>>
>>>
>>> On Feb 9, 2018, at 8:59 AM, Brotman, Alexander <
>>>> alexander_brot...@comcast.com> wrote:
>>>>
>>>> Not sure if I'd call it extreme, but a marked increase beginning Feb
>>>> 6th.
>>>>
>>>> --
>>>> Alex Brotman
>>>> Sr. Engineer, Anti-Abuse
>>>> Comcast
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Dan Malm
>>>> Sent: Friday, February 09, 2018 3:57 AM
>>>> To: mailop@mailop.org
>>>> Subject: [mailop] Extreme amounts of SMTP auth from microsoft/outlook
>>>> IPs
>>>>
>>>> Hi
>>>>
>>>> I'm seeing an extreme amount of SMTP authentications (over 600/s) from
>>>> the microsoft owned 40.101.0.0/16 range on my customer SMTP servers.
>>>> It's just auth, with valid credentials, and then it disconnects right
>>>> after so no attempts to send any mails have been done for the vast majority
>>>> of these connections. A small amount of valid mails are being sent from
>>>> this range though. HELO indicates it's from outlook.com. So seems like
>>>> their system for sending with your own domain through external servers has
>>>> gone a bit haywire...
>>>>
>>>> I've sent ab...@microsoft.com a mail about it, but I'm a bit curious
>>>> if anyone else is seeing the same?
>>>>
>>>> --
>>>> BR/Mvh. Dan Malm, Systems Engineer, One.com
>>>>
>>>> _______________________________________________
>>>> mailop mailing list
>>>> mailop@mailop.org
>>>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>>>
>>>
>>>
>>> _______________________________________________
>>> mailop mailing list
>>> mailop@mailop.org
>>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>>
>>>
>>
>>
>>
>
>
> --
> "Catch the Magic of Linux..."
> ------------------------------------------------------------------------
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> ------------------------------------------------------------------------
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> ------------------------------------------------------------------------
> 604-682-0300 Beautiful British Columbia, Canada
>
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to