Liste de diffusion Message #15576
De: Bill Cole <>
Sujet: Re: How to blacklist a client IP?
Date: Mon, 21 Jan 2008 11:07:04 -0500
A: SIMS Discussions <>
At 6:52 AM -0800 1/21/08, Alan Summerfield wrote:

it's a few years since I had anything to do with the SIMS mailing list
but it's good to see that it's still active.

I'm back as I have a problem with a "client" at who has
since last night, been trying to get into the accounts by going through
hundreds of username/password combinations. Here's a log extract:

11:14:21 0 SYSTEM Account {consult} Resources open failed. Error Code=-43
11:14:21 1 POP {consult} is not open: password(eagle) is wrong.
Connection from []

I've put in the "Blacklisted Adresses" of the SMTP control
panel, to no effect.

What else can I do? Usernames beginning with "C" are being tried at the
moment and I suspect it won't stop until it's reached "Z"...

The best way to stop the probing is to do it as David said: outside of SIMS, at the network level. That IP is being used by a bad actor, and since (a /29 subnet) seems to be statically assigned you should have no problem with collateral damage unless you really have a reason to  serve the legitimate users of that address space. If you really DO have such a need, you probably also have a means of contact to provide a little education  to the bozos responsible for the apparent compromise of the misbehaving address.

You can obviously also change your client and blacklist IP lists to change how SIMS deals with the prober and limits your risk of compromise, but that does not address the denial of service risk, which is a very real one with SIMS. There's no innocent explanation for the behavior you describe: the IP in question is being used by someone who is unconcerned with avoiding detection or damage. You should protect yourself.

Bill Cole                        

S'abonner aux messages S'abonner aux sommaires S'abonner aux indexes Se désabonner Ecrire un email au responsable de la liste