On Tue, Sep 07, 2021 at 02:50:09PM -0400, Viktor Dukhovni wrote: > inetnum: 77.247.110.0 - 77.247.110.255 > netname: PEENQ-NL-TLN-VPS-01 > country: NL > geoloc: 52.370216 4.895168 > admin-c: PA10298-RIPE > tech-c: PA10298-RIPE > org: ORG-PNQ1-RIPE > status: ASSIGNED PA > mnt-by: MNT-PEENQ > created: 2019-03-01T16:28:00Z > last-modified: 2021-02-05T10:53:28Z > source: RIPE > > organisation: ORG-PNQ1-RIPE > org-name: PEENQ.NL > org-type: OTHER > address: Netherlands > > You could try reaching out to the network provider, web site says: > > info (at) peenq (dot) nl
Also, the reverse (PTR) zone points back to "estoxy.com": 110.247.77.in-addr.arpa. SOA rdns1.estoxy.com. estoxy.gmail.com. 2021080901 28800 7200 604800 86400 who have an abuse reporting page at: https://panel.estoxy.com/submitticket.php?step=2&deptid=4 That said, SASL credential brute-force attempts use compromised botnet nodes from all over the planet, so ultimately you're playing whack-a-mole. Hence if any one IP address is sourcing large enough batches of AUTH attempts, fail2ban can help cap the oracle response rate. -- VIktor.