Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all .....
Just adding to the conversation with how I had to deal with this years ago.
Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this.
That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc)
Along with the above dovecot logging is verbose (dovecot already does all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system based on the syslogging in real time.
For Example :
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
basically the ip address block was found in my firewall so something, someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the asterisk is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in real time.
Running FreeBSD I use PF and asterisk is linux based so i use the iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything attached to the internet) really need to run some sort of automated ip firewall when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, <michael@linuxmagic.com> wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company...
Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...
They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/104.156.155.0
OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all .....
Just adding to the conversation with how I had to deal with this
years ago.
Basically hacks to any server are an issue today but it is cat &
mouse
trying to track all of this.
That being said using the reported ip address below, I patched
postfix
to log the ip address in one syslog pass (to id the sasl user account
+
ip etc)
Along with the above dovecot logging is verbose (dovecot already does
all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system
based
on the syslogging in real time.
For Example :
__________________________________________________________________________
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4
NS Lookup (Forward) : 104.156.155.21
NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for
104.156.155.21
[D] {Asterisk}
Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
__________________________________________________________________________
basically the ip address block was found in my firewall so something,
someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the
asterisk
is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in
real
time.
Running FreeBSD I use PF and asterisk is linux based so i use the
iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains
they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything
attached
to the internet) really need to run some sort of automated ip
firewall
when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors,
<michael@linuxmagic.com> wrote:
There is a network claiming to be a security company,
however the
activity appears to be a little more malicious, and
appears to be
attempting buffer overflows against POP-SSL
services.. (and other
attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might
want to keep an
eye
out for traffic from this company...
Might want to make up your own mind, or maybe someone
has more
information, but enough of a red flag, that thought
it warranted
posting
on the list.
Not sure yet if it is Dovecot, or the SSL libraries
they are
attempting
to break, but using a variety of SSL/TLS methods and
connections...
They are not interested in dovecot per se. They scan for
TLS vulnerabilities,
mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255
CIDR: 104.156.155.0/24
NetName: ACDRESEARCH
NetHandle: NET-104-156-155-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Academy of Internet Research Limited
Liability
Company
(AIRLL)
RegDate: 2022-01-07
Updated: 2022-01-07
Ref: https://rdap.arin.net/registry/ip/
104.156.155.0
OrgName: Academy of Internet Research Limited
Liability
Company
OrgId: AIRLL
Address: #A1- 5436
Address: 1110 Nuuanu Ave
City: Honolulu
StateProv: HI
PostalCode: 96817
Country: US
RegDate: 2021-10-15
Updated: 2022-11-06
Ref: https://rdap.arin.net/registry/
entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All
of them allegedly
reputable, all of them supposedly with opt-out mechanisms,
and all of them are
blocked for not asking permission.
Ymmv.
Regards
Simon
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org