Mailing List SIMS@mail.stalker.com Message #15579
From: Timothy Binder <lists2@cyberthorn.net>
Subject: Re: How to blacklist a client IP?
Date: Wed, 23 Jan 2008 12:19:22 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
On 1/21/08, Alan Summerfield <Summerfield@nbio.uni-heidelberg.de> wrote:

> I'm back as I have a problem with a "client" at 71.140.125.37 who has
> since last night, been trying to get into the accounts by going through
> hundreds of username/password combinations. Here's a log extract:
>
> 11:14:21 0 SYSTEM Account {consult} Resources open failed. Error Code=-43
> 11:14:21 1 POP {consult} is not open: password(eagle) is wrong.
> Connection from [71.140.125.37:14341]
>
> I've put 71.140.125.37 in the "Blacklisted Adresses" of the SMTP control
> panel, to no effect.
>
> What else can I do? Usernames beginning with "C" are being tried at the
> moment and I suspect it won't stop until it's reached "Z"...

To add my two cents, when I had this issue -- and I definitely had it
-- I would end up blocking the IP address using IPNetRouter. In fact,
I would usually do a little research and end up blocking the whole IP
range it belonged to, if it was in an area I didn't usually deal with.
(For instance, I never saw real emails coming from Jordan, so would
just block a /24 block or whatever was assigned to the ISP by the
appropriate NIC, especially after repeated attacks from that range.)

However, if you have the ability to block at your border router,
that's even better. Definitely block at the earliest available point.
Just if you can't do it at that level, IPNetRouter definitely can
handle the blocking.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster