SurgeMail Archive: Re: [SurgeMail List] pop3 password attack in progress here 216.231.134.98

Subject:	Re: [SurgeMail List] pop3 password attack in progress here 216.231.134.98
From:	Case Hugo
Date:	31-Dec-2011
Curious, What user names did they start with? For the G_Hacker_Poison :-) > They do work on POP3. Doesn't stop the attacker from trying however. > > All attempts were being blocked properly by SurgeMail and all attempts > were logged. > > I will note that all these attempts were for unqualified user names. In > other words, noHIDDEN@n.name in them. So the attacker got absolutely > nothing. I have no accounts in the main domain except the postmaster(with > a complex password). > > This was coming from a hosted server, and not a dynamic home ip address. I > was pleasently surprised that the hosting company did in fact respond > relatively quickly. > > However this attack was generating several hundred attempts per hour and > had been on-going for about 5 hrs when I blackholed him in IP tables. And > they were only up to D in the alphabet with the names being attempted. > > Lyle Giese > LCR Computer Services, Inc. > > On 12/21/2011 1:52 PM, Ed wrote: >> I always thought that the failed password [count] options that I know >> work on SMTP would work on POP3 but it appears not. Sure would be nice >> if the settings worked for all protocols. X [small number like 4] bad >> SMTP guesses and it just drops the connections. >> >> --Ed >> >> On 12/21/2011 02:46 PM, Lyle Giese wrote: >>> On 12/21/2011 11:17 AM, Lyle Giese wrote: >>>> FYI, >>>> we have been under a concerted long term POP3 password attack from >>>> 216.231.134.98 >>>> >>>> I have a host in front of our Surgemail servers running IPTables and am >>>> dropping all packets from this host. I have not had time to look into >>>> this, but it looks like a hosting company of some sort. >>>> >>>> Lyle Giese >>>> LCR Computer Services, Inc. >>>> >>> >>> Just a quick followup, I have not looked to see if the attacker is gone, >>> but the ISP (Continuum Data Centers, LLC) has already responding and it >>> working on the issue from their end. >>> >>> This POP3 brute force password attack was running for about 6 hrs before >>> I noticed and adjusted the IPTables to cut him off. >>> >>> Lyle >>> >>> >>> >> > > >

Last Message | Next Message


Search website: