I noticed a fews hosts attempting dictionary guessing on our parameter MX's. They will do the following:I have a script (others use fail2ban) to watch for this sort of thing which put them into time-outs on our MX'sNormally, I would not waste your and my time publishing this but it hit 4 of my relays all at different data centers within 2 hours last night so probably this list of ip's might help others. Because they are doing RSET, it will look like a fairly long established connection if you run netstat and one of these ip's are currently connected to port 25.
HTH,
Jim
Code:
helo XXXXmail from:<blaa@example.com>rcpt to:<guess1@example.com>rcpt to:<guess2@example.com>...rcpt to:<guess100@example.com>RSEThelo XXXXmail from:<blaa@example.com>rcpt to:<guess1@example.com>rcpt to:<guess2@example.com>...Code:
% ipset list blacklist24hrName: blacklist24hrType: hash:ipHeader: family inet hashsize 4096 maxelem 65536 timeout 86400 Size in memory: 79480References: 2Members:185.196.10.117 timeout 36009198.12.118.214 timeout 3600951.81.17.189 timeout 36009194.55.186.88 timeout 36009147.135.4.30 timeout 36009103.77.243.241 timeout 3600957.128.35.41 timeout 3600945.128.96.207 timeout 3600978.47.241.202 timeout 3600934.227.19.103 timeout 3600951.81.104.4 timeout 36009101.96.76.242 timeout 36009185.159.131.198 timeout 36009193.222.96.121 timeout 36009104.168.84.86 timeout 36009185.169.4.136 timeout 36009194.33.191.197 timeout 3600966.84.80.54 timeout 36009192.87.173.78 timeout 36009195.88.24.186 timeout 36009107.173.177.139 timeout 77531128.187.82.252 timeout 60954202.51.95.34 timeout 36009185.222.163.84 timeout 36009HTH,
Jim
Statistics: Posted by JDunphy — Fri Jan 26, 2024 5:34 pm