Had an account here get hacked. Nothing really new or unusual about that. The account had been dormant for a while and I just deleted it. I got notices from AOL feedback and the size of the outbound mail queue(I have a script to monitor the size of the queue) and that's how I found the issue.

During the post investigation, I found two subnets(!) were sending directed POP3 queries and knew when they hit the blacklist threshold of Surgemail. I think they are still playing with the time out. But they would back off for a few minutes and try again.

The unusual part was they were trying full email addresses instead of just user names as most script kiddies would do. These ip addresses started poking less than 24 hrs before they gained access to that one account.

89.44.0.0/24
93.114.45.0/24

I have taken the unusual step of blocking them in our cisco router so they can not access TCP port 110 on our mail servers.

Guess my next project is to data mine ip address from the mail logs for password failures and find the frequent violators now.

Lyle Giese
LCR Computer Services, Inc.