Re: How to blacklist a client IP?

Mon, 21 Jan 2008 08:07:31 -0800 

At 6:52 AM -0800 1/21/08, Alan Summerfield wrote:

Hi,

it's a few years since I had anything to do with the SIMS mailing list
but it's good to see that it's still active.

I'm back as I have a problem with a "client" at 71.140.125.37 who has
since last night, been trying to get into the accounts by going through
hundreds of username/password combinations. Here's a log extract:

11:14:21 0 SYSTEM Account {consult} Resources open failed. Error Code=-43
11:14:21 1 POP {consult} is not open: password(eagle) is wrong.
Connection from [71.140.125.37:14341]

I've put 71.140.125.37 in the "Blacklisted Adresses" of the SMTP control
panel, to no effect.

What else can I do? Usernames beginning with "C" are being tried at the
moment and I suspect it won't stop until it's reached "Z"...
The best way to stop the probing is to do it as David said: outside of SIMS, at the network level. That IP is being used by a bad actor, and since 71.140.125.32-71.140.125.39 (a /29 subnet) seems to be statically assigned you should have no problem with collateral damage unless you really have a reason to serve the legitimate users of that address space. If you really DO have such a need, you probably also have a means of contact to provide a little education to the bozos responsible for the apparent compromise of the misbehaving address.
You can obviously also change your client and blacklist IP lists to change how SIMS deals with the prober and limits your risk of compromise, but that does not address the denial of service risk, which is a very real one with SIMS. There's no innocent explanation for the behavior you describe: the IP in question is being used by someone who is unconcerned with avoiding detection or damage. You should protect yourself. 




--
Bill Cole [EMAIL PROTECTED] 


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Reply via email to