Nice find. While bad networks are a dime a dozen, their events mostly
stay off of my radar and get handled by automation. We clocked just shy
of 171,000 connection attempts from their ranges in the last 30 days.
Couldn't find a useful item among them. Mostly brute force login
attempts over SMTP to usernames with just a local part, so basically
just spinning wheels to watch them spin.
On 2026-06-02 12:00, Randolf Richardson, Postmaster via mailop wrote:
Thanks Michael.
I'm upgrading my recommendation to blocking 158.94.208/22, unless
you've got counter-measures, honeypots, etc., in place that can
competently process their hacking attempts...
What I'm seeing in my logs from just one of our mail servers over
the past week:
158.94.208/24: Approximately 2,500 failures; 0 successes
158.94.209/24: Approximately 21,000 failures; 0 successes
158.94.208/24: Approximately 2,500 failures; 0 successes
158.94.208/24: Approximately 20,000 failures; 0 successes
Attempts are mostly SMTP traffic using TCP ports 25 and 465, with a
small percentage of connection attempts that are IMAP4 traffic using
TCP ports 143 and 993 (which is inappropraite for all of our MX's).
They're attempting a wide variety of account names and passwords
which don't even exist on our systems, plus there are other red flags
including declaring themselves with single-digit EHLO hostnames (that
don't resolve, for obvious reasons).
All four of these /24's are owned by OMEGATECH, and fit nicely into
a /22 for easier firewalling.
Important note: Adjecent netblocks are registered to other
organizations (US Steel in Israel, and Cloudflare in the USA) that
are showing zero connections to any of our mail servers, and which
seem reputable to me, so I also recommend not adding blocking of the
neighbours if your logs also don't reveal nefarious activities.
(I may have some fun with them this weekend before I eventually add
their /22 to my permanent block-and-forget blacklist.)
+1
Name: OMEGATECH
Country: Netherlands
CIDRs: 158.94.210.0/24
Parent: 158.94.208.0 - 158.94.211.255
Registrant(s):
- Name: Abuse Contact (CA12141-RIPE)
Address: [email protected]
- Name: lir-tr-mgn-1-MNT (lir-tr-mgn-1-MNT)
Address:
- Name: Omegatech LTD (ORG-OL329-RIPE)
Address: HOUSE OF FRANCIS ROOM 303, ILE DU PORT, MAHE,
SEYCHELLES
On 2026-06-02 08:13, Randolf Richardson, Postmaster via mailop wrote:
>> Am 02.06.26 um 12:07 schrieb Alessandro Vesely via mailop:
>>> On 02/06/2026 08:56, Benoit Panizzon via mailop wrote:
>>>> From: DH Lieferung Kundenbetreuung<[email protected]>
>>>> To: panizzon@*
>>>> Message-ID:<[email protected]>
>>>> X-Mailer: Python SMTP Client
>>>>
>>>> inetnum: 158.94.210.0 - 158.94.210.255
>>>> netname: OMEGATECH
>>>> country: NL
>>>
>>> You don't seem to be the only victim: AbuseIPDB says:
>>>
>>>
>>> *158.94.210.98* <https://www.abuseipdb.com/check/158.94.210.98> was
found in our database!
>>>
>>> This IP was reported *130* times. Confidence of Abuse is *100%*:
>>>
>> That /24 range seems to be rented out to a spamming/scamming operation using
victim addresses for both sender and recipient:
>>
>> Jun 1 14:02:53 localhost postfix/smtpd[3568196]: NOQUEUE: reject: RCPT from
unknown[158.94.210.212]: 450 4.7.25 Client
>> host rejected: cannot find your hostname, [158.94.210.212];
from=<info@*domain*.de> to=<info@*domain*.de> proto=ESMTP
>> helo=<[158.94.210.212]>
>>
>> I've seen this pattern (sender address = recipient) mostly with sextortion
or fake security breach attempts, so it may
>> be possible that those hosts are compromised and the actual miscreant is
sitting elsewhere.
>>
>> From my spam blocking database, I see that I labeled 158.94.208.0/22 as
spamming, as well as AS214943 which it was
>> apparently part of at some time. No reported false positives yet.
>
> I just grepped the logs from a few of our busier mail servers, and
> various IP addresses from that /24 have been trying to hack into
> various user accounts since as far back as 2026-May-24 (possibly
> earlier too, but I didn't bother to check).
>
> Mostly they're trying to figure out SMTP passwords, and a few
> attempts at IMAP4 are also showing up.
>
> 158.94.210/24 is bad news. I recommending blocking the whole /24
> without counter-measures in place.
>
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices
Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
