> Am 08.01.2022 um 11:38 schrieb Andrea Venturoli <ml@xxxxxxxxxxx>: > > > Hello and sorry for the OT. > > One of the server I manage, has been under attack since 3 days: I'm confident they won't be able to get in, but monitoring would warn me just in case. > However, I feel curious, since I never saw such a perduring attack: normally they try info@ or an existent address a few times, then go away. > > Here, however: > _ it's going on since 3 days; > _ fail2ban has already blocked 3500 IPs from all around the world (mostly from US, a lot from Europe, but also Asia...); > _ they started trying to access reception@... (which never existed); after 24h, they moved to trying billing@... (which also never existed); now they are trying with an existing address (which is an alias, though, so they won't get access anyway with that user). > > The company this server belongs to is no NASA or McDonald or bank: I see no reason why they should insist on it. seems like „usual“ current DDoS brute force stuff from whoever (bot network „scene“ etc.) which has to be expected with on any „public“ SMTP / IMAP / POP3 (getting access to SMTP for spam exploding) is typical their target, but SMTP is usually more restrictive against brute force, so it is a „backyard“ vector… The target host operator is usually out of interest to them - the host should be „fast enough“. It seems they get some basic target data (probable parts of usernames / mail domains/ addresses out of Android spyware, Windows trojans, hacked webpoetals / webshops and similiar which spy off local postbox content, network scans as „network search engines“. This would explain the timing of such attackes too. just my .02$ niels. — Niels Dettenbach https://www.syndicat.com https://www.syndicat.com/pub_key.asc ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T1d0fcd8364d69d1f-Me8fa6212a4bdb5a71b92ad83 Delivery options: https://cyrus.topicbox.com/groups/info/subscription