89.42.240.2


----- Original Message ----- 
From: "Lyle Giese" HIDDEN@crcomputer.info>
To: <surgemailHIDDEN@etwinsite.com>; "1USA Webmaster" <webmaster@1usa.com>
Sent: Monday, September 17, 2012 7:38 PM
Subject: [SurgeMail List] hackers & pop3


> Had an account here get hacked.  Nothing really new or unusual about 
> that.  The account had been dormant for a while and I just deleted it.  
> I got notices from AOL feedback and the size of the outbound mail 
> queue(I have a script to monitor the size of the queue) and that's how I 
> found the issue.
> 
> During the post investigation, I found two subnets(!) were sending 
> directed POP3 queries and knew when they hit the blacklist threshold of 
> Surgemail.  I think they are still playing with the time out. But they 
> would back off for a few minutes and try again.
> 
> The unusual part was they were trying full email addresses instead of 
> just user names as most script kiddies would do.  These ip addresses 
> started poking less than 24 hrs before they gained access to that one 
> account.
> 
> 89.44.0.0/24
> 93.114.45.0/24
> 
> I have taken the unusual step of blocking them in our cisco router so 
> they can not access TCP port 110 on our mail servers.
> 
> Guess my next project is to data mine ip address from the mail logs for 
> password failures and find the frequent violators now.
> 
> Lyle Giese
> LCR Computer Services, Inc.
> 
>