Hi Thomas, On 22/03/2020 09:03, Thomas Walter via mailop wrote:
I got the same email with some of our local accounts and aliases. Interestingly enough it included the same IP address 185.234.219.89.
That will happen, one IP usually goes absolutely crazy and sends most of the traffic, other times we'll see this distributed over a lot of different IPs.
Checking my logs I have multiple failed logins from the address including the accounts they listed, but some more too.
We won't always report everything, we're only reporting accounts that we haven't seen before in the last 31 days (to avoid too much unnecessary noise). So we might have already seen those accounts or they came in after that days report was generated.
I wonder what kind of "Spamtraps" they use and why the attacker uses our local accounts to fall into those?
I'm sure you'll understand that I can't really say on a public forum how we do this. Catch me at a M3AAWG or other event and I'll give you more details.
Kind regards, Steve. -- Steve Freegard Senior Product Owner Abusix Intelligence _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop