Hi everybody,
since roughly December 13th last year I see a significant change in the bots activities:
a) Greetdelay'ing the SMTP sessions -- working great for years -- is almost useless now.
b) In parallel with this change, I observe significant lexical/dictionary attacks against my POP3 service (POP3S not yet):
Yesterday:
2012-02-03 20:17:45.319228500 qmail-popup: pid 10225 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utility'
2012-02-03 20:17:46.662410500 qmail-popup: pid 10228 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utpal'
2012-02-03 20:17:48.001400500 qmail-popup: pid 10231 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'uucp'
2012-02-03 21:35:32.417104500 qmail-popup: pid 11081 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'david@217'
2012-02-03 21:35:34.678555500 qmail-popup: pid 11086 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'dave@217'
2012-02-03 21:35:36.939112500 qmail-popup: pid 11091 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'mike@217'
2012-02-03 21:35:39.196582500 qmail-popup: pid 11108 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'tony@217'
Today:
qmail-popup: pid 17593 Reject::AUTH::User: P:POP3U S:81.169.140.224:h1989281.stratoserver.net ?= 'client'
.... resulting in a few thousand lookups every day.
Thus, within my forthcoming Spamcontrol 2.7 I've included to log the POP3 username within qmail-popup.
Further, I will make a patch available against UCSPI-TCP enabling CIDR notation in the tcprules database.
regards.
--eh.
PS: Anybody who is interested should contact me for a beta version of both.
--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
since roughly December 13th last year I see a significant change in the bots activities:
a) Greetdelay'ing the SMTP sessions -- working great for years -- is almost useless now.
b) In parallel with this change, I observe significant lexical/dictionary attacks against my POP3 service (POP3S not yet):
Yesterday:
2012-02-03 20:17:45.319228500 qmail-popup: pid 10225 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utility'
2012-02-03 20:17:46.662410500 qmail-popup: pid 10228 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utpal'
2012-02-03 20:17:48.001400500 qmail-popup: pid 10231 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'uucp'
2012-02-03 21:35:32.417104500 qmail-popup: pid 11081 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'david@217'
2012-02-03 21:35:34.678555500 qmail-popup: pid 11086 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'dave@217'
2012-02-03 21:35:36.939112500 qmail-popup: pid 11091 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'mike@217'
2012-02-03 21:35:39.196582500 qmail-popup: pid 11108 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'tony@217'
Today:
qmail-popup: pid 17593 Reject::AUTH::User: P:POP3U S:81.169.140.224:h1989281.stratoserver.net ?= 'client'
.... resulting in a few thousand lookups every day.
Thus, within my forthcoming Spamcontrol 2.7 I've included to log the POP3 username within qmail-popup.
Further, I will make a patch available against UCSPI-TCP enabling CIDR notation in the tcprules database.
regards.
--eh.
PS: Anybody who is interested should contact me for a beta version of both.
--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE