Nothing to see here folks.. let's move along..
Well, to be truthful you asked for advice.. so .. first of all, this
appears to be standard botnet activity, probably from compromised IoT
and CPE equipment.. there are many similar attempts, eg if it was from
Chinese telecoms, a lot is actually compromised old versions of Windows,
or even some threat actors that try to hide in the noise..
And for the most part, that's all it is..
But of course.. there is SO much you didn't include in your reports..
Were they logging in with full email address or just username?
What port did they attempt? How many attempts by each IP?
There are many ways to 'reduce' the noise, IP reputation, country
blocking, what you are really looking for is if they are serious threats
to your customers or not, or are they just wasting overhead and performance?
(stopping to read other responses)
Okay.. so for the record, it is a multi-pronged approach.
Nothing you can really do when it comes to dynamic addresses, if is
maybe something a legit customer might use two minutes later, so careful
on too much fail2ban approaches..
But some things that can help..
* Only allow authentication on port 465/587
* Always require SSL/TLS
* Turn off any legacy protocols (eg 110/143 unencrypted)
* Auth Rate Limiters
* Auth Country Restrictions (If you know your users are NEVER in that
country)
* If none of your customers every travel to China, using
RATS-CHINATELECOM as an ipset rule really lowers the noise volume..
* Implement password policies that ensure the most common 400 passwords
are never used..
You are always going to get 'noise', you should see how much you can get
just from comcast (or any other ISP that is local to you)..
But usually all that bot traffic, is looking for the REALLY stupid..
with millions of bots, even that works sometimes, at only no costs..
Typically IoT bots aren't going to be your real threat, except for noise
that can obscure real threats.. Even some of the biggest bots, that DO
find weak passwords, or password re-use from compromised data breaches,
hand off to a more sinister network..
And those are usually in the cloud, and not on dynamic IP ranges..
There are many more techniques.. sometimes rather than trying to deal
with it all yourself, you 'might' want to consider commercial softwares
for email and email protection..
Could go on and on and on.. The world is getting to be a crazy unsafe
place.. You should see how many IPs in AWS/Google/Azure are used for
email auth attacks.. and don't get me started on other cloud providers,
*Digital Ocean*, *Tencent* .. any place a person can rent an IP by the
minute, is bound to be filled with criminals as well..
And of course, somethings only work at scale, and somethings never work
at scale.. depends on whether you have 50 users or 50,000 users..
But in truth? It's almost all annoying noise.. IF your customers all use
reasonable best practices..
* Never send passwords unencrypted
* Never easy to use passwords (can you believe it, some companies still
allow 1 char passwords)
* Never re-use passwords..
Of course, its end users.. they are still going to click on links, that
allow someone to harvest the password, they are still going to fall for
phishing, but those bots that are hitting you aren't those guys, they
only need to test once, and then go to town..
But in the end, the ONLY really good way is to use a multi-factor
approach.. Just wish more email softwares and clients supported
something that is easy and transparent ;)
But even then, your logs will always be filled with noise you can't
safely block..
Now time for din din..
On 2024-10-21 08:46, Geoff Mulligan via mailop wrote:
Maybe I'm just now more observant, but I've seen a huge increase in
bunches of systems trying to brute force an SASL login.
Here is a list of IPs that have tried in just the last hour:
2.47.196.162
5.172.14.125
5.89.106.141
5.94.25.239
14.194.116.93
14.33.96.3
14.49.199.104
24.126.24.151
35.130.133.206
37.119.1.41
37.134.140.203
39.82.195.83
41.75.211.6
41.79.137.102
43.255.221.44
45.148.10.50
45.4.143.10
58.229.51.205
61.144.82.162
61.51.81.78
70.89.116.5
71.227.94.199
73.163.34.222
74.219.127.52
76.176.252.225
79.110.62.34
80.64.30.52
80.94.95.233
81.16.170.117
87.120.84.58
94.141.120.39
94.204.68.44
103.220.82.162
109.116.82.131
109.67.154.24
111.70.23.223
112.27.38.203
112.30.211.165
115.143.8.92
115.187.61.70
118.220.149.30
121.135.188.125
121.139.41.95
121.162.160.21
121.186.155.211
121.202.152.35
121.229.205.214
129.146.148.173
134.215.35.210
175.117.251.128
177.159.150.111
178.178.194.135
178.215.236.128
179.42.124.80
180.148.213.87
182.42.113.10
187.76.174.254
194.169.175.47
201.63.15.105
210.56.31.135
211.35.237.38
216.194.174.27
218.108.131.158
218.149.235.152
218.203.173.194
218.25.233.22
218.9.73.24
220.124.196.108
220.179.87.204
220.246.42.79
221.152.89.46
221.195.208.171
221.220.108.99
222.116.11.71
223.197.164.188
I wrote a script to check my mail log and block the IPs.
What do you all do?
Geoff
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
