Re: [exim] Stopping Bruteforceattacks

Top Page
This message is part of the following thread:
M-+-\the complete thread tree sorted by date
M\M\MCyborg at <-
MMMMTerry at ->
Delete this message
Reply to this message
Author: Chris Knadle
Date:  
To: Dr Andrew C Aitchison
CC: exim-users
Subject: Re: [exim] Stopping Bruteforceattacks
On Wednesday, July 25, 2012 07:05:04, Dr Andrew C Aitchison wrote:
> On Wed, 25 Jul 2012, Chris Knadle wrote:
> > What I don't understand about this particular situation is that the IP
> > address of the attacker is in the RFC 1918 private IP address range
> > (192.168.x.x) which would make it seem like the attacker is on the local
> > LAN (or via VPN).
> >
> >> 2012-07-25 07:09:11 no IP address found for host
> >> static-216-214-153-238.isp.broadviewnet.net (during SMTP connection
> >> from [216.214.153.238]) 2012-07-25 07:09:11 plain authenticator failed
> >> for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication
> >> data (set_id=aidan)
>
> Maybe I'm misreading the logs, but isn't 192.168.0.232
> the HELO/EHLO address ?

No, you're right -- I misread this to begin with because I missed the []
inside of the () and also made the mistake of not reading the next line due to
the word wrap. [I'm so used to reading "long line" Exim4 logs that
unconsciously these seemed to be out-of-place. Ugh.]

> In which case the rogue machine is on a private network belonging
> to a broadviewnet customer and somewhere behind 216.214.153.238 ?

AFAIK the 216.214.153.238 is an internet-routable (i.e. public) address.

-- Chris

--
Chris Knadle
Chris.Knadle@???

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Stopping BruteforceattacksRe: [exim] Exim outgoing emails throttling->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)