This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
- Previous message (by thread): [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
- Next message (by thread): [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alessandro Vesely
vesely at tana.it
Wed Nov 17 12:12:32 CET 2021
Hi,
On Wed 17/Nov/2021 09:12:13 +0100 Hans-Martin Mosner wrote:
>
> Here I want to focus on hacked mail accounts. I can think of two major root
> causes but I have no idea about their relative significance:
I agree with Steve and Ángel that the main causes are reused passwords and phishing.
> * Easily guessable passwords, with two subcauses for exploits:
> o Brute force authentication attempts - I'm seeing them regularly, and
> the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at
> our mailserver, but some mailops are less struct about blocking such
> abusers.
I used to look at what passwords they try. Those brute force attacks are so ridiculous that I agree with those who call them "clowns".
About that network, I only collected 40 addresses (15.7%) of it. Here's the list:
list records in IP range 5.188.206.0-5.188.206.255,
min age 0 secs, max age 1637146807 secs, min prob 0=0.00%, max prob 2147483647=100.00%.
IP CREATED PROB. BLOCKED PACKETS UPDATED DECAY THRESHOLD CAUGHT DESCRIPTION
5.188.206.98 Aug-2021 27.83% Oct-2021 184598 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack
5.188.206.99 Aug-2021 42.44% Oct-2021 187446 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack
5.188.206.100 Aug-2021 32.63% Oct-2021 191132 Oct-2021 2.7648e+06 7 14 SMTP auth dictionary attack
5.188.206.101 Aug-2021 23.06% Oct-2021 195623 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack
5.188.206.102 Aug-2021 30.12% Oct-2021 193158 Oct-2021 2.7648e+06 7 14 SMTP auth dictionary attack
5.188.206.146 Jul-2021 0.00% Jul-2021 38385 Jul-2021 172800 3 11 SMTP auth dictionary attack
5.188.206.147 May-2021 0.00% May-2021 2690 May-2021 43200 1 6 SMTP auth dictionary attack
5.188.206.154 Aug-2021 22.50% Oct-2021 199790 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack
5.188.206.155 Aug-2021 63.96% Oct-2021 200505 Oct-2021 5.5296e+06 8 14 SMTP auth dictionary attack
5.188.206.156 Aug-2021 44.10% Oct-2021 188176 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack
5.188.206.157 Aug-2021 21.81% Oct-2021 201093 Oct-2021 2.7648e+06 7 12 SMTP auth dictionary attack
5.188.206.158 Aug-2021 13.69% Oct-2021 186692 Oct-2021 1.3824e+06 6 16 SMTP auth dictionary attack
5.188.206.162 Apr-2021 0.00% Apr-2021 16 May-2021 21600 0 4 Domain does not exist
5.188.206.163 Apr-2021 0.00% Apr-2021 49 May-2021 21600 0 6 SPF failure
5.188.206.164 Apr-2021 0.00% Apr-2021 8 Apr-2021 60 0 3 SPF failure
5.188.206.165 Apr-2021 0.00% Apr-2021 9 May-2021 60 0 3 SPF failure
5.188.206.166 Apr-2021 0.00% Apr-2021 12 May-2021 60 0 4 SPF failure
5.188.206.171 May-2021 0.00% 0 May-2021 60 0 1 SPF failure
5.188.206.172 May-2021 0.00% 0 May-2021 21600 0 1 Domain does not exist
5.188.206.174 May-2021 0.00% 0 May-2021 21600 0 1 Domain does not exist
5.188.206.182 May-2021 0.00% Jun-2021 321619 Jun-2021 691200 5 13 SMTP auth dictionary attack
5.188.206.194 Jul-2020 41.18% 52s ago 106607 53s ago 2.7648e+06 7 24 SMTP auth dictionary attack
5.188.206.195 Jul-2020 78.44% 570s ago 225627 569s ago 2.7648e+06 7 25 SMTP auth dictionary attack
5.188.206.196 Jul-2020 71.04% 54s ago 170925 54s ago 2.7648e+06 7 58 SMTP auth dictionary attack
5.188.206.197 Aug-2020 86.35% 51s ago 172424 57s ago 5.5296e+06 8 37 SMTP auth dictionary attack
5.188.206.198 Sep-2020 55.70% 572s ago 234734 573s ago 5.5296e+06 8 34 SMTP auth dictionary attack
5.188.206.199 Oct-2020 99.24% 571s ago 191169 572s ago 5.5296e+06 8 23 SMTP auth dictionary attack
5.188.206.200 Oct-2020 86.89% 45s ago 189656 60s ago 5.5296e+06 8 23 SMTP auth dictionary attack
5.188.206.201 Oct-2020 59.52% 686s ago 659987 687s ago 5.5296e+06 8 30 SMTP auth dictionary attack
5.188.206.202 Dec-2020 91.54% 57s ago 466233 62s ago 5.5296e+06 8 25 SMTP auth dictionary attack
5.188.206.203 Dec-2020 55.00% 42s ago 214836 50s ago 5.5296e+06 8 23 SMTP auth dictionary attack
5.188.206.204 Dec-2020 11.66% Aug-2021 374345 Aug-2021 2.7648e+06 7 25 SMTP auth dictionary attack
5.188.206.205 Jan-2021 32.61% Aug-2021 168831 Aug-2021 5.5296e+06 8 22 SMTP auth dictionary attack
5.188.206.206 Jun-2021 9.31% Aug-2021 139334 Aug-2021 2.7648e+06 7 18 SMTP auth dictionary attack
5.188.206.234 Feb-2021 7.82% Aug-2021 137165 Aug-2021 2.7648e+06 7 44 SMTP auth dictionary attack
5.188.206.235 Feb-2021 20.26% Aug-2021 341048 Aug-2021 5.5296e+06 8 22 SMTP auth dictionary attack
5.188.206.236 Apr-2021 8.97% Aug-2021 150635 Aug-2021 2.7648e+06 7 18 SMTP auth dictionary attack
5.188.206.237 Jun-2021 7.26% Aug-2021 135883 Aug-2021 2.7648e+06 7 20 SMTP auth dictionary attack
5.188.206.238 Jun-2021 12.76% Aug-2021 137208 Aug-2021 2.7648e+06 7 20 SMTP auth dictionary attack
5.188.206.246 Mar-2021 0.98% May-2021 58297 May-2021 2.7648e+06 7 13 SMTP auth dictionary attack
40 record(s) selected, 0 deleted, 0 failed deletion(s)
Best
Ale
--
- Previous message (by thread): [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
- Next message (by thread): [anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]