Hmmm..  That's the same 2 netblocks of several in Romania we've been 
having not only attacks on our mail servers but also FTP.

I have been wondering if it's the locals or if it's what we've been 
seeing a lot lately of compromised computers being used by other 
individuals to try and cover their tracks.

You're not alone.  IPTables is your friend ;-)  ACL's in the router work 
also.

--Ed

On 09/17/2012 10:38 PM, Lyle Giese wrote:
> Had an account here get hacked.  Nothing really new or unusual about
> that.  The account had been dormant for a while and I just deleted it. I
> got notices from AOL feedback and the size of the outbound mail queue(I
> have a script to monitor the size of the queue) and that's how I found
> the issue.
>
> During the post investigation, I found two subnets(!) were sending
> directed POP3 queries and knew when they hit the blacklist threshold of
> Surgemail.  I think they are still playing with the time out. But they
> would back off for a few minutes and try again.
>
> The unusual part was they were trying full email addresses instead of
> just user names as most script kiddies would do.  These ip addresses
> started poking less than 24 hrs before they gained access to that one
> account.
>
> 89.44.0.0/24
> 93.114.45.0/24
>
> I have taken the unusual step of blocking them in our cisco router so
> they can not access TCP port 110 on our mail servers.
>
> Guess my next project is to data mine ip address from the mail logs for
> password failures and find the frequent violators now.
>
> Lyle Giese
> LCR Computer Services, Inc.
>
>
>

-- 
-----------------------------------------------------------
EAS Enterprises LLC
World Class Web and Email Hosting Solutions
IPv6 ready today for your needs of tomorrow!
Ask us about dual-stacking your site
www.easent.net