dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1423
share rss forum feed


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

3 edits

3 recommendations

"WE ARE NOT SPAMMING OR HACKING YOU"

I was perusing server and firewall logs a short while ago, and this one literally made me ROFLMAO

The "WE ARE NOT SPAMMING OR HACKING YOU" disclaimer gives me such a warm fuzzy feeling, that I may even manually remove the automatic firewall block that went up...or not.

Windows email server log:
"TCPIP"2260"2012-02-12 07:08:28.228""TCPConnection - Posting AcceptEx on 0.0.0.0:110"
"POP3D"226014298"2012-02-12 07:08:28.228""93.126.8.3""SENT: +OK DCS Enterprises hMailServer"
"TCPIP"2260"2012-02-12 07:08:28.479""TCPConnection - Posting AcceptEx on 0.0.0.0:110"
"POP3D"226014299"2012-02-12 07:08:28.494""93.126.8.3""SENT: +OK DCS Enterprises hMailServer"
"POP3D"226014299"2012-02-12 07:08:28.761""93.126.8.3""RECEIVED: USER besadmin"
"POP3D"226014299"2012-02-12 07:08:28.761""93.126.8.3""SENT: +OK Send your password"
"POP3D"226014299"2012-02-12 07:08:29.011""93.126.8.3""RECEIVED: PASS ***"
"POP3D"226014299"2012-02-12 07:08:29.027""93.126.8.3""SENT: -ERR Invalid user name or password. Please use full email address as user name."
"POP3D"226014299"2012-02-12 07:08:29.293""93.126.8.3""RECEIVED: QUIT"
"POP3D"226014299"2012-02-12 07:08:29.293""93.126.8.3""SENT: +OK POP3 server saying goodbye..."
 

Linux email server log:
Feb 12 07:08:29 webhost popper[26493]: besadmin at asmanfaraz.3.8.126.93.in-addr.arpa (93.126.8.3): -ERR Too few arguments for the pass command. [pop_get_command.c:124]
Feb 12 07:08:30 webhost popper[26493]: Possible probe of account besadmin from host asmanfaraz.3.8.126.93.in-addr.arpa (93.126.8.3) [pop_quit.c:29]
 

whois 93.126.8.3
inetnum:         93.126.0.0 - 93.126.63.255
netname:         AISDP
descr:           ASMANFARAZ SEPAHAN ISDP
country:         IR
org:             ORG-AI37-RIPE
admin-c:         ISDP-RIPE
admin-c:         RL5000-RIPE
tech-c:          RL5000-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-by:          MNT-hamed
mnt-by:          MNT-AISDP
mnt-lower:       RIPE-NCC-END-MNT
mnt-routes:      MNT-AISDP
mnt-domains:     MNT-hamed
source:          RIPE # Filtered
 
organisation:    ORG-AI37-RIPE
org-name:        ASMANFARAZ SEPAHAN ISDP
org-type:        OTHER
address:         Parsian Building, Sharif St, Emam khomeini AV ,Esfahan-Iran
address:         IR
mnt-by:          MNT-Hamed
abuse-mailbox:   ripe@asmanfaraz.com
mnt-ref:         MNT-hamed
mnt-ref:         MNT-AISDP
source:          RIPE # Filtered
 
role:            Asmanfaraz Sepahan NOC
address:         Parsian Building, Sharif St, Emam khomeini AV
address:         Esfahan,IR
phone:           +98-311-3344600
fax-no:          +98-311-3344601
admin-c:         HS4249-RIPE
tech-c:          HS4249-RIPE
nic-hdl:         ISDP-RIPE
mnt-by:          MNT-Hamed
mnt-by:          MNT-AISDP
remarks:         +----------------------------------------------------------
remarks:         |           "WE ARE NOT SPAMMING OR HACKING YOU"           |
remarks:         |If you think I am, please: http://www.ripe.net/nicdb.html |
remarks:         +----------------------------------------------------------
remarks:         +----------------------------------------------------------
remarks:         |        Web Site: http://www.asmanfaraz.com               |
remarks:         |                 NOC:  noc@asmanfaraz.com                 |
remarks:         +----------------------------------------------------------
 

EDIT: I can understand why an Iranian network might be scanning for a Blackberry email server that is not monitored/controlled by the Emamfia©, but sorry, guys, it isn't going to be my servers. Besides not having enough bandwidth to supply Iran with unmonitored email, I really don't need the kind of attention that would broadcast to domestic 3 letter agencies.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1
If they're trying to hack you, hack them back three times as bad.

If they're looking for a way around government censorship, maybe someone with deep enough pockets should set aside some bandwidth somewhere and oblige them.

Any government, anywhere, that tries to shut down the Internet should in turn be shut down by its own people.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to NetFixer
"Hack me and I hack back... with Tomahawks and SEALs" :twisted:
I should draft that as my banner / MOTD, translate it into 25 languages and post it up
for s**ts and giggles.

Was the login attempt a onetime thing NetFixer or they try for a couple minutes / hours
before giving up?

Regards


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
said by HELLFIRE:

"Hack me and I hack back... with Tomahawks and SEALs"

I take it you noticed my P2V avatar (although it predates both Tomahawks and SEALs).

said by HELLFIRE:

Was the login attempt a onetime thing NetFixer or they try for a couple minutes / hours
before giving up?

There were multiple login attempts on both of my email servers, but they were automatically terminated when the IP address was blocked (at first a temporary automatic block by the email servers, and then I made the block permanent after I was notified). Once that happens, they can continue for hours if they wish, but their connection attempts won't even show up in my firewall logs. I have not had any other such events from other IP addresses in that address range, so they probably just continued to increment the target IP address and look for other POP3 servers once they stopped receiving a response from my email servers.

The only reason I bothered to post this one (POP3 dictionary attacks are a common everyday event) is that I found the "WE ARE NOT SPAMMING OR HACKING YOU" disclaimer to be amusing (especially since the IP address used is in several black lists), and that it was a probe for a specific username (that could possibly be a valuable commodity in Iran) instead of the more typical shotgun style dictionary attack (for the mundane purpose of converting my email servers into spambots).
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower


mod_wastrel
iamwhatiam

join:2008-03-28
kudos:1
reply to NetFixer
"Pay no attention to that man behind the curtain."


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by mod_wastrel:

"Pay no attention to that man behind the curtain."

As the great bard said: "All the world's a stage...".
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to NetFixer
said by NetFixer:

The only reason I bothered to post this one (POP3 dictionary attacks are a common everyday event) is that I found the "WE ARE NOT SPAMMING OR HACKING YOU" disclaimer to be amusing (especially since the IP address used is in several black lists)...

Thanks for the headsup NetFixer. Got paranoid so I dropped the entire netrange into the bitbucket
on my edge routers. Figured better safe than sorry.

Regards