On Tue, Sep 07, 2021 at 02:50:09PM -0400, Viktor Dukhovni wrote:
> inetnum: 77.247.110.0 - 77.247.110.255
> netname: PEENQ-NL-TLN-VPS-01
> country: NL
> geoloc: 52.370216 4.895168
> admin-c: PA10298-RIPE
> tech-c: PA10298-RIPE
> org: ORG-PNQ1-RIPE
> status: ASSIGNED PA
> mnt-by: MNT-PEENQ
> created: 2019-03-01T16:28:00Z
> last-modified: 2021-02-05T10:53:28Z
> source: RIPE
>
> organisation: ORG-PNQ1-RIPE
> org-name: PEENQ.NL
> org-type: OTHER
> address: Netherlands
>
> You could try reaching out to the network provider, web site says:
>
> info (at) peenq (dot) nl
Also, the reverse (PTR) zone points back to "estoxy.com":
110.247.77.in-addr.arpa. SOA rdns1.estoxy.com. estoxy.gmail.com. 2021080901
28800 7200 604800 86400
who have an abuse reporting page at:
https://panel.estoxy.com/submitticket.php?step=2&deptid=4
That said, SASL credential brute-force attempts use compromised botnet
nodes from all over the planet, so ultimately you're playing
whack-a-mole. Hence if any one IP address is sourcing large enough
batches of AUTH attempts, fail2ban can help cap the oracle response
rate.
--
VIktor.
