This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Reporting abuse to OVH -- don't bother
- Previous message (by thread): [anti-abuse-wg] Reporting abuse to OVH -- don't bother
- Next message (by thread): [anti-abuse-wg] Reporting abuse to OVH -- don't bother
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alessandro Vesely
vesely at tana.it
Wed Feb 12 19:57:56 CET 2020
Hi, On Wed 12/Feb/2020 18:43:54 +0100 Alex de Joode wrote: > > The abuse notification below, is absolutely terrible: it only highlights the > OVH IP that was used, however it completely fails to identify the IP/hostname > that was "attacked", no action (other than forward the notice to the user of > the IP) can be taken. Yes, the user of the IP is the one who should take care. I don't think an actual (paying) user would waste resources on such desperate dictionary attacks. So, the host must be 0wned, and needs cleanup. > Please in the future include all relevant data in you abuse notice. (src+dst ip > are relevant!) Src+port are already there. The destination IP is indirectly mentioned in a sort of (stripped off[*]) legend which explains which host, what firewall, and similar details. Best Ale -- [*] I'd publish it if I were sure it's bullet proof. Until it's fully vetted, some obscurity sounds more secure ;-) > On Wed, 12-02-2020 13h 16min, Alessandro Vesely <vesely at tana.it> wrote: > > > Dear Abuse Team > > The following abusive behavior from IP address under your constituency > 188.165.221.36 has been detected: > > 2020-02-11 11:39:25 CET, 188.165.221.36, old decay: 86400, prob: 34.72%, > SMTP auth dictionary attack > > 188.165.221.36 was caught 102 times since Fri May 18 01:42:13 2018 > > original data from the mail log: > 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[58534] > 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[62026] > 2020-02-11 11:39:05 CET courieresmtpd: started,ip=[188.165.221.36],port=[63198] > 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[58743] > 2020-02-11 11:39:25 CET courieresmtpd: started,ip=[188.165.221.36],port=[50520] > 2020-02-11 11:39:25 CET courieresmtpd: > error,relay=188.165.221.36,port=58743,msg="535 Authentication failed.",cmd: > AUTH LOGIN 42D117A2.9F10013D > >
- Previous message (by thread): [anti-abuse-wg] Reporting abuse to OVH -- don't bother
- Next message (by thread): [anti-abuse-wg] Reporting abuse to OVH -- don't bother
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]