On 10/16/2010 05:50 PM, Royce Williams wrote:
> adam bultman said, on 10/16/2010 11:59 AM:
>> I have a server that's getting a large number of connections from some
>> ACS IP addresses in what claims to be a static block.
>>
>> Since October 10 @ 4:30 AM, I've had a grand total of 44,800 connections
>> from three IP addresses via SMTP. I dont' think they're delivering mail;
>> I do know that some of them are trying to do SMTP AUTH.
>>
>> It's annoying, and I'd like to know if that's one of our customers
>> trying to connect, or a former customer who left some mail client
>> running, or some spam bots trying *really hard* to send mail (but
>> getting denied, every time.)
>>
>> (Yes, I know I could write the abuse email, but all I ever get - ever -
>> from *any* email written to abuse at any domain is an autoresponder.
>> Bummer.)
>
> abuse@ in any provider's domain gets a lot of email; cut 'em a little
> slack. But even if you write to abuse@, they can't give you a direct
> answer as to who had those IPs at those times without some legal
> paperwork. They might be able to spank and intervene, but won't be able
> to tell you more than that they enforced terms of service, etc.
>
> It sounds like you can see attempts trying to log in as particular
> users? If so, do a frequency count on them, and look for patterns. And
> if you're not sure if they're delivering mail or not, you should be. ;-)
I never expect answers from abuse@ but I have sent to support@. Didn't
even get an autoresponder. Sigh. But, calling support is a different
matter. If it was me, I'd call up and speak to a live person. They can
usually give you an email address to send to - if they know it's coming
they'll look for it, and you can send them some log snippets.
As Royce said, they probably can't tell you who it is, but they'll be
able to set up monitoring, contact the customer, or something.
Some years back I had some bozo trying to get into our network from some
address down south. I called them (the down south ISP that is) and w/in
minutes their connection was severed. If/when you can actually get a
person, things usually get taken care of pretty promptly...
...Kevin
-- Kevin Miller - http://www.alaska.net/~atftb Juneau, Alaska In a recent survey, 7 out of 10 hard drives preferred Linux Registered Linux User No: 307357, http://counter.li.org --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Sat Oct 16 18:12:29 2010
This archive was generated by hypermail 2.1.8 : Sat Oct 16 2010 - 18:12:29 AKDT