Dictonary attacks against things like POP servers normally stop
reasonably quickly once the attacking IP(s) is blacklisted.
Currently I have an attack from Turkey, over 3 IP address's I use
at home, and its just exceed 1 million attempts over the past 6 hours.
The IP was blacklisted on attempt number 8 (simultaneous POP
login attempts exceeded by 7/or hit on a auto BL login username)
Past experience tells me it will probably go for another 6-12 hours.
Most of them are normally from China/Romania, or Russia, years
ago I would have though they were compromised PC's but these
days it doesn't take much to notice those who are trying nolonger
seem to even attempt to go via a compromised PC/Proxy.
Are others also seeing this trend ?
If so any repeating IP attack ranges pop up or are they randoms ?
I've been running a mail server since about 1993, so I figure I've
got a good handle on trends :)
Cheers
Ian Manners
ComKal Networks Australia
Adding this email address to any database without prior permission
gives the owner permission to add YOUR sending IP and domain
to an international database of spammers.
Permission is only given to reply to this email, not to add this email
or other address details to ANY database.
To help ease your DSL line, you might consider using ipt_recent and simply dropping packets that exceed a connection rate threshold. Just ensure that the threshold is 1 higher than that set on your mail servers so that it has a chance to tell the sender "450 - Slow down, residential area"
--
------------------------------------------------------------
You received this message because you are subscribed to the "2600 Australia" group.
To post, send email to: 2600-au...@googlegroups.com To subscribe, send email to: 2600-austral...@googlegroups.com
For 2600 monthly meetings, visit http://www.2600.org.au For more options, visit this group at http://groups.google.com/group/2600-australia
To unsubscribe, send email to: 2600-australi...@googlegroups.com
Disclaimer: Comments to this mailing list are owned by the poster
------------------------------------------------------------
Standard tools i use to do away with the Dictionary/Bruteforce attempts
and also see what type of attacks are tried against my network. All
really simple and easy to setup.
I have no idea about trends but i use the free version of Splunk to
graft the first (3 attempts, after which they are dropped) to get an
idea on Location Source.