On Wed, 25 Jul 2012, Chris Knadle wrote:
> What I don't understand about this particular situation is that the IP address
> of the attacker is in the RFC 1918 private IP address range (192.168.x.x)
> which would make it seem like the attacker is on the local LAN (or via VPN).
>> 2012-07-25 07:09:11 no IP address found for host static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from [216.214.153.238])
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
Maybe I'm misreading the logs, but isn't 192.168.0.232
the HELO/EHLO address ?
In which case the rogue machine is on a private network belonging
to a broadviewnet customer and somewhere behind 216.214.153.238 ?
> That seems like in addition to adding fail2ban, you'd want to find the
> offending box and take it offline for antivirus scanning (if possible) because
> the "attacker" is probably malware.
>
> Good luck tracking it down.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@??? http://www.dpmms.cam.ac.uk/~werdna
