Mailing List SIMS@mail.stalker.com Message #15576
From: Bill Cole <listbill@scconsult.com>
Subject: Re: How to blacklist a client IP?
Date: Mon, 21 Jan 2008 11:07:04 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 6:52 AM -0800 1/21/08, Alan Summerfield wrote:
Hi,

it's a few years since I had anything to do with the SIMS mailing list
but it's good to see that it's still active.

I'm back as I have a problem with a "client" at 71.140.125.37 who has
since last night, been trying to get into the accounts by going through
hundreds of username/password combinations. Here's a log extract:

11:14:21 0 SYSTEM Account {consult} Resources open failed. Error Code=-43
11:14:21 1 POP {consult} is not open: password(eagle) is wrong.
Connection from [71.140.125.37:14341]

I've put 71.140.125.37 in the "Blacklisted Adresses" of the SMTP control
panel, to no effect.

What else can I do? Usernames beginning with "C" are being tried at the
moment and I suspect it won't stop until it's reached "Z"...

The best way to stop the probing is to do it as David said: outside of SIMS, at the network level. That IP is being used by a bad actor, and since 71.140.125.32-71.140.125.39 (a /29 subnet) seems to be statically assigned you should have no problem with collateral damage unless you really have a reason to  serve the legitimate users of that address space. If you really DO have such a need, you probably also have a means of contact to provide a little education  to the bozos responsible for the apparent compromise of the misbehaving address.

You can obviously also change your client and blacklist IP lists to change how SIMS deals with the prober and limits your risk of compromise, but that does not address the denial of service risk, which is a very real one with SIMS. There's no innocent explanation for the behavior you describe: the IP in question is being used by someone who is unconcerned with avoiding detection or damage. You should protect yourself.




--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster