Autore: Chris Knadle Data: To: Dr Andrew C Aitchison CC: exim-users Oggetto: Re: [exim] Stopping Bruteforceattacks
On Wednesday, July 25, 2012 07:05:04, Dr Andrew C Aitchison wrote: > On Wed, 25 Jul 2012, Chris Knadle wrote:
> > What I don't understand about this particular situation is that the IP
> > address of the attacker is in the RFC 1918 private IP address range
> > (192.168.x.x) which would make it seem like the attacker is on the local
> > LAN (or via VPN).
> >
> >> 2012-07-25 07:09:11 no IP address found for host
> >> static-216-214-153-238.isp.broadviewnet.net (during SMTP connection
> >> from [216.214.153.238]) 2012-07-25 07:09:11 plain authenticator failed
> >> for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication
> >> data (set_id=aidan)
>
> Maybe I'm misreading the logs, but isn't 192.168.0.232
> the HELO/EHLO address ?
No, you're right -- I misread this to begin with because I missed the []
inside of the () and also made the mistake of not reading the next line due to
the word wrap. [I'm so used to reading "long line" Exim4 logs that
unconsciously these seemed to be out-of-place. Ugh.]
> In which case the rogue machine is on a private network belonging
> to a broadviewnet customer and somewhere behind 216.214.153.238 ?
AFAIK the 216.214.153.238 is an internet-routable (i.e. public) address.