Not that specific pattern ;) But definitely, AWS waters getting dirtier and dirtier..
There are several email validator services, AUTH attackers, and dictionary attacks coming from the IP space, they quickly get added to RBL's since there isn't much use reporting them, if there is no motivation to prevent it, or remove the actor in a timely manner.
Of course, (You didn't mention what ports they were trying) this particular case, you could simply block by the naming convention if attack is to Port 25.
No real email server should have a generic PTR, you can probably treat it like you would any other dynamic range or dynamic naming convention.
On 2021-08-26 11:45 a.m., Mary via mailop wrote:
We've noticed an increase of email scans from AWS IP addresses, they seem to be testing for variations of the same email: ec2-18-215-245-250.compute-1.amazonaws.com[18.215.245.250]: 550 5.1.1 <foo-bar@domain> ec2-18-215-245-250.compute-1.amazonaws.com[18.215.245.250]: 550 5.1.1 <foobar@domain> ec2-18-215-245-250.compute-1.amazonaws.com[18.215.245.250]: 550 5.1.1 <foo@domain> ec2-18-215-245-250.compute-1.amazonaws.com[18.215.245.250]: 550 5.1.1 <fb@domain> ec2-34-207-218-228.compute-1.amazonaws.com[34.207.218.228]: 550 5.1.1 <foo.bar@domain> ec2-34-207-218-228.compute-1.amazonaws.com[34.207.218.228]: 550 5.1.1 <foo_bar@domain> ec2-34-207-218-228.compute-1.amazonaws.com[34.207.218.228]: 550 5.1.1 <foo.b@domain> ec2-54-145-213-229.compute-1.amazonaws.com[54.145.213.229]: 550 5.1.1 <bar@domain> ec2-54-145-213-229.compute-1.amazonaws.com[54.145.213.229]: 550 5.1.1 <f-b@domain> ec2-54-145-213-229.compute-1.amazonaws.com[54.145.213.229]: 550 5.1.1 <bar-foo@domain> Anyone seen this before? _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
-- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
