API tools faq
paste
lyfsy

Dictionary SMTP attacks from 4vendeta.com IP range

lyfsy
Jan 22nd, 2020
854
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.11 KB | None | 0 0
raw download clone embed print report
  1. Dictionary SMTP attacks from 4vendeta.com IP range
  2. I have found that IP range belonging to 4vendeta.com, namely
  3. ++++++++++++++
  4. list of top cheapest host http://Listfreetop.pw
  5.  
  6. Top 200 best traffic exchange sites http://Listfreetop.pw
  7.  
  8. free link exchange sites list http://Listfreetop.pw
  9. list of top ptc sites
  10. list of top ptp sites
  11. Listfreetop.pw
  12. Listfreetop.pw
  13. +++++++++++++++
  14.  
  15.  
  16. 78.128.113.0/24
  17.  
  18. is the source of dictionary SMTP attacks against several mail servers I maintain. Every several seconds an IP from that network tries to authenticate as 'nic', 'support', 'do-not-reply' etc.
  19.  
  20. When I blocked the perpetrator's IP, another one from the same range resumed that activity. I tried to contact 4vendeta about that activity, but no answer ever came back.
  21.  
  22. Funny thing is that 4vendeta.com, according to their site, is an ISP. Rack-web.com, owner of that IP range, also doesn't hurry to respond to an abuse report. Their site has an expired SSL certificate and looks like a VPS hosting client area site.
  23.  
  24. Has anyone dealt with either of those companies? I understand that the swift solution is to block the entire range and leave ti that way, while firewall logs the mentioned attempts.
  25. I just checked my logs and I've had a few hits from the same place, but they're not worth worrying about. In my opinion contacting the hosting company or manually blocking the IP range is a complete waste of time because there are hundreds of these hosting companies that don't care and millions of IP addresses, and the criminals have learnt to constantly switch to evade firewalls.
  26.  
  27. Fail2ban is a quick and easy tool for limiting each attack to just a few attempts.
  28.  
  29. BUT I have now stopped using fail2ban on email ports for two reasons:
  30.  
  31. 1. It makes hardly any difference now, because sustained attacks from the same IP address have become very rare. The criminals try a few times (typically less than 10) then switch to a different address, assuming they will be blocked. A couple of weeks later they try connecting from the original IP address again to see if the ban has been lifted. At that rate they're never going to get in unless you have a VERY weak password or they have billions of IP addresses (it's going to be interesting when they start using IPv6).
  32.  
  33. guest relations host fedexforum
  34. myrobotviralmailer.com
  35. salon.com
  36. wishes2.com
  37. imgspice.com
  38. moneymachin.win
  39. ketnoidoanhnhan.com.vn
  40. host undisputed
  41.  
  42. 2. Fail2ban was causing quite a bit of harm to normal users. In particular, if several people share a public IP address (which is common in most homes and businesses, of course) and one of them mistypes their password, the whole building gets blocked. Some users were doing this repeatedly and it became unworkable (even after whitelisting some of their addresses).
  43.  
  44. The threats and defences are constantly evolving so none of this might be true tomorrow, but for now I think it's best to just ignore these "dictionary" attacks. Do make sure you prevent weak passwords though. I find that simply setting a minimum length of 10 characters does the trick.
  45. Phil McKerracher
  46. www.beeches.it
  47. Not a hosting company, but I fix hosting problems
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!