[aklug] Re: Anybody that works for ACS want to do some sleuthing for me?

From: Adam Bultman <adamb@glaven.org>
Date: Sat Oct 16 2010 - 20:52:28 AKDT

  On 10/16/2010 5:50 PM, Royce Williams wrote:
> adam bultman said, on 10/16/2010 11:59 AM:
>> I have a server that's getting a large number of connections from some
>> ACS IP addresses in what claims to be a static block.
>>
>> Since October 10 @ 4:30 AM, I've had a grand total of 44,800 connections
>> from three IP addresses via SMTP. I dont' think they're delivering mail;
>> I do know that some of them are trying to do SMTP AUTH.
>>
>> It's annoying, and I'd like to know if that's one of our customers
>> trying to connect, or a former customer who left some mail client
>> running, or some spam bots trying *really hard* to send mail (but
>> getting denied, every time.)
>>
>> (Yes, I know I could write the abuse email, but all I ever get - ever -
>> from *any* email written to abuse at any domain is an autoresponder.
>> Bummer.)
> abuse@ in any provider's domain gets a lot of email; cut 'em a little
> slack. But even if you write to abuse@, they can't give you a direct
> answer as to who had those IPs at those times without some legal
> paperwork. They might be able to spank and intervene, but won't be able
> to tell you more than that they enforced terms of service, etc.
>
> It sounds like you can see attempts trying to log in as particular
> users? If so, do a frequency count on them, and look for patterns. And
> if you're not sure if they're delivering mail or not, you should be. ;-)
>
I don't get too much from abuse. Either that, or it's sent to someone
else. But I usually read, and respond to anything sent to abuse that's
pertinent, and answerable.

You're right, they won't give ME information about the customer, but
they could contact the customer and the ACS person (having emailed me
offlist) would have asked a few questions that would have tipped off the
customer to one thing, or another.

At any rate, I wrote abuse, but still am sending the traffic from those
IPs into the bit bucket. And mostly, they were trying to do SMTP AUTH
(but not as a recognizable user, unless you consider a square with four
dots in it a recognizable user.)

> Royce
> ---------
> To unsubscribe, send email to<aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Oct 16 20:52:38 2010

This archive was generated by hypermail 2.1.8 : Sat Oct 16 2010 - 20:52:38 AKDT