On November 17, 2008 at 16:47 davidnicol(_at_)gmail(_dot_)com (David Nicol)
wrote:
I'm wondering why World doesn't script a little log watcher that
identifies the source of dictionary attacks and drop all their packets
at the perimter for a few hours when they occur.
Of course we do that sort of thing, almost exactly that.
But one gets a little frustrated when it's all of earthlink's (e.g.)
servers which are being blocked most of the time.
Occasionally we've had to put in exceptions allowing them thru so mail
customers want gets through.
Think about that: We have to put exceptions in to let their stuff
through when they are behaving at their worst and tripping these log
analyzers so much that customers are comlaining.
Here is a summary right this moment on one mail server, a few seconds
sample:
Unknown Users By Host:
20 webmail-srv1.servage.net
15 bay0-omc3-s18.bay0.hotmail.com
11 host.southwestecommerce.net.au
10 mail4.ipbolaget.com
10 hpsmtp-eml16.KPNXCHANGE.COM
10 elasmtp-banded.atl.sa.earthlink.net
10 blu0-omc1-s22.blu0.hotmail.com
5 relay.esu9.k12.ne.us
I'm not sure who southwestcommerce.net.au is but it doesn't strike me
as a spam outfit, hard to say. No idea about ipbolaget, may well be
criminals. the k12.ne.us site is probably hijacked or just an open
relay. Servage??? Probably a hijacked host on their provider network.
The others are hotmail and earthlink.
lessee what hotmail is up to...well it looks like some kind of mailing
list looping and some of the addresses closed accounts so let's save
their privacy.
Earthlink, OH YEAH, direct hit, CUT+PASTE, as always:
Nov 17 18:33:35 pcls5 sendmail[13516]: NOUSER: tracer3
relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
Nov 17 18:33:38 pcls5 sendmail[13516]: NOUSER: tracer4
relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
Nov 17 18:33:41 pcls5 sendmail[13516]: NOUSER: tracer5
relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
Nov 17 18:33:44 pcls5 sendmail[13516]: NOUSER: tracer6
relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
Nov 17 18:36:49 pcls5 sendmail[19082]: NOUSER: trans1
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:36:52 pcls5 sendmail[19082]: NOUSER: trans10
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:36:55 pcls5 sendmail[19082]: NOUSER: trans2
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:36:58 pcls5 sendmail[19082]: NOUSER: trans3
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:37:01 pcls5 sendmail[19082]: NOUSER: trans4
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:49:58 pcls5 sendmail[12900]: NOUSER: trav2
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:50:01 pcls5 sendmail[12900]: NOUSER: trav3
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:50:04 pcls5 sendmail[12900]: NOUSER: trav4
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:50:07 pcls5 sendmail[12900]: NOUSER: trav5
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:50:10 pcls5 sendmail[12900]: NOUSER: trav6
relay=elasmtp-banded.atl.sa.earthlink.net [209.86.89.70]
Nov 17 18:54:54 pcls5 sendmail[22047]: NOUSER: trader3
relay=elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]
Nov 17 18:54:57 pcls5 sendmail[22047]: NOUSER: trader4
relay=elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]
Nov 17 18:55:00 pcls5 sendmail[22047]: NOUSER: trader5
relay=elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]
Nov 17 18:55:03 pcls5 sendmail[22047]: NOUSER: trader6
relay=elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]
Nov 17 18:55:06 pcls5 sendmail[22047]: NOUSER: trader7
relay=elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]
--
-Barry Shein
The World | bzs(_at_)TheWorld(_dot_)com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg