SurgeMail Archive: Re: [SurgeMail List] pop3 password attack in progress here 216.231.134.98

Subject:	Re: [SurgeMail List] pop3 password attack in progress here 216.231.134.98
From:	Lyle Giese
Date:	31-Dec-2011
I don't know that I have a list any more, but I estimated they went from A and got into the D's with over 200,000 tries. Lyle On 12/30/2011 7:38 PM, Case Hugo wrote: > Curious, > > What user names did they start with? For the G_Hacker_Poison :-) > > > > >> They do work on POP3. Doesn't stop the attacker from trying however. >> >> All attempts were being blocked properly by SurgeMail and all >> attempts were logged. >> >> I will note that all these attempts were for unqualified user names. >> In other words, noHIDDEN@n.name in them. So the attacker got >> absolutely nothing. I have no accounts in the main domain except the >> postmaster(with a complex password). >> >> This was coming from a hosted server, and not a dynamic home ip >> address. I was pleasently surprised that the hosting company did in >> fact respond relatively quickly. >> >> However this attack was generating several hundred attempts per hour >> and had been on-going for about 5 hrs when I blackholed him in IP >> tables. And they were only up to D in the alphabet with the names >> being attempted. >> >> Lyle Giese >> LCR Computer Services, Inc. >> >> On 12/21/2011 1:52 PM, Ed wrote: >>> I always thought that the failed password [count] options that I know >>> work on SMTP would work on POP3 but it appears not. Sure would be nice >>> if the settings worked for all protocols. X [small number like 4] bad >>> SMTP guesses and it just drops the connections. >>> >>> --Ed >>> >>> On 12/21/2011 02:46 PM, Lyle Giese wrote: >>>> On 12/21/2011 11:17 AM, Lyle Giese wrote: >>>>> FYI, >>>>> we have been under a concerted long term POP3 password attack from >>>>> 216.231.134.98 >>>>> >>>>> I have a host in front of our Surgemail servers running IPTables >>>>> and am >>>>> dropping all packets from this host. I have not had time to look into >>>>> this, but it looks like a hosting company of some sort. >>>>> >>>>> Lyle Giese >>>>> LCR Computer Services, Inc. >>>>> >>>> >>>> Just a quick followup, I have not looked to see if the attacker is >>>> gone, >>>> but the ISP (Continuum Data Centers, LLC) has already responding >>>> and it >>>> working on the issue from their end. >>>> >>>> This POP3 brute force password attack was running for about 6 hrs >>>> before >>>> I noticed and adjusted the IPTables to cut him off. >>>> >>>> Lyle >>>> >>>> >>>> >>> >> >> >> > >

Last Message | Next Message


Search website: