On Mon 21/Oct/2024 17:46:14 +0200 Geoff Mulligan via mailop wrote:
Maybe I'm just now more observant, but I've seen a huge increase in bunches of
systems trying to brute force an SASL login.
Here is a list of IPs that have tried in just the last hour:
[...]
87.120.84.58
[...]
I wrote a script to check my mail log and block the IPs.
What do you all do?
Maybe not all the IPs you listed are miscreants. Some might be weak hosts
infested by bots. The one I quoted, for example, is not tagged as 100% abusive
by AbuseIPDB.
Is it worth to send a complaint to their ISP? In some cases, I found people
unaware of how bots did use their IP, unable to find the reported TCP
connection in their firewall's log. Either they eventually close their hole or
the ISP closes their contract, for good ISPs that is.
Besides complaining, I block them slightly, because they could be legitimate
users trying to log in from an unusual IP. Blocking hardens on each bad
password but decreases as time passes.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
