This is a forward of transaction #3015801 of ticket #1512300096Forward

1.  
2.  
3. This is a forward of transaction #3015801 of ticket #1512300096
4.  
5.  
6. ForwardedMessage.eml
7. Betreff:
8. [noreply] INFO report about 5.230.131.149 - Wed, 30 Dec 2015 06:16:06 +0100 -- service: mail (First x 1) RID: 720341204
9. Von:
10. "Abuse-Team (auto-generated)" <autogenerated@blocklist.de>
11. Datum:
12. 30.12.2015 06:16
13. An:
14. "Abuse-Team of IP: 5.230.131.149" <abuse@ghostnet.de>
15.  
16. Hello Abuse-Team,
17.  
18. your Server/Customer with the IP: *5.230.131.149* (5.230.131.149) has attacked one of our servers/partners.
19. The attackers used the method/service: *mail* on: *Wed, 30 Dec 2015 06:16:06 +0100*.
20. The time listed is from the server-time of the Blocklist-user who submitted the report.
21. The attack was reported to the Blocklist.de-System on: *Wed, 30 Dec 2015 06:16:13 +0100*
22.  
23.  
24. !!! Do not answer to this Mail! Use support@ or contact-form for Questions (no resolve-messages, no updates....) !!!
25.  
26.  
27. The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
28. to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
29. triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
30. The Server-Owner configures the number of failed attempts, and the time period they have
31. to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.
32.  
33.  
34. Please check the machine behind the IP 5.230.131.149 (5.230.131.149) and fix the problem.
35. To search for AS-Number/IPs that you control, to see if any others have been infected/blocked, please go to:
36. http://www.blocklist.de/en/search.html?as=12586
37.  
38. If you need the logs in another format (rather than an attachment), please let us know.
39. You can see the Logfiles online again: https://www.blocklist.de/en/logs.html?rid=720341204&ip=5.230.131.149
40.  
41.  
42. You can parse this abuse report mail with X-ARF-Tools from http://www.x-arf.org/tools.html e.g. validatexarf-php.tar.gz.
43. You can find more information about X-Arf V0.2 at http://www.x-arf.org/specification.html
44.  
45. This message will be sent again in one day if more attacks are reported to Blocklist.
46. In the attachment of this message you can find the original logs from the attacked system.
47.  
48. To pause this message for one week, you can use our "Stop Reports" feature on Blocklist.de to submit
49. the IP you want to stop recieving emails about, and the email you want to stop receiving them on.
50. If more attacks from your network are recognized after the seven day grace period, the reports will start
51. being sent again.
52.  
53. To pause these reports for one week:
54. http://www.blocklist.de/en/insert.html?ip=5.230.131.149&email=abuse@ghostnet.de
55.  
56.  
57. We found this abuse email address in the Whois-Data from the IP under the SearchString "abuse-c (own-db)"
58. Reply to this message to let us know if you want us to send future reports to a different email. (e.g. to abuse-quiet or a special address)
59.  
60. This is not a complaint, and is for information purposes only. Please check your Newsletter or Database for unknown users and use double-opt-in.
61. ------------------------------
62. blocklist.de Abuse-Team
63. This message was sent automatically. For questions please use our Contact-Form (autogenerated@/abuse-team@ is not monitored!):
64. https://www.blocklist.de/en/contact.html?RID=720341204
65. Logfiles: https://www.blocklist.de/en/logs.html?rid=720341204&ip=5.230.131.149
66. ------------------------------
67.  
68.  
69. report.txt
70.  
71. Reported-From: abuse-team@blocklist.de
72. Category: info
73. Report-Type: harvesting
74. Service: mail
75. Version: 0.2
76. User-Agent: Fail2BanFeedBackScript blocklist.de V0.2
77. Date: Wed, 30 Dec 2015 06:16:06 +0100
78. Source-Type: ip-address
79. Source: 5.230.131.149
80. Port: 25
81. Report-ID: 720341204@blocklist.de
82. Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.1.json
83. Attachment: text/plain
84.  
85.  
86. logfile.log
87.  
88.  
89. Dec 30 06:16:04 orion2589 postfix/smtpd[3337]: connect from unknown[5.230.131.149]
90. Dec 30 06:16:05 orion2589 postfix/smtpd[3337]: NOQUEUE: reject: RCPT from unknown[5.230.131.149]: 554 5.7.1 <x>: Relay access denied; from=x@x helo=<85.25.199.140>
91. Dec 30 06:16:05 orion2589 postfix/smtpd[3337]: NOQUEUE: reject: RCPT from unknown[5.230.131.149]: 554 5.7.1 <x>: Relay access denied; from=x@x helo=<85.25.199.140>
92. Dec 30 06:16:05 orion2589 postfix/smtpd[3337]: NOQUEUE: reject: RCPT from unknown[5.230.131.149]: 554 5.7.1 <x>: Relay access denied; from=x@x helo=<85.25.199.140>
93. Dec 30 06:16:06 orion2589 postfix/smtpd[3337]: NOQUEUE: reject: RCPT from unknown[5.230.131.149]: 554 5.7.1 <x>: Relay access denied; from=x@x helo=<85.25.199.140>
94. Dec 30 06:16:06 orion2589 postfix/smtpd[3337]: NOQUEUE: reject: RCPT from unknown[5.230.131.149]: 554 5.7.1 <x>: Relay access denied; from=x@x helo=<85.25.199.140>
95. Dec 30 06:16:06 orion2589 postfix/smtpd[3337]: NOQUEUE: reject: RCPT from unknown[5.230.131.149]: 554 5.7.1 <x>: Relay access denied; from=x@x helo=<85.25.199.140>
96. Dec 30 06:16:06 orion2589 postfix/smtpd[3337]: NOQUEUE: reject: RCPT from unknown[5.230.131.149]: 554 5.7.1 <x>: Relay access denied; from=x@x helo=<85.25.199.140>