Which is why of course there should be an exemption list of IPs that are
not configured right, and still need to reach/access/authenticate to
your server, but they are rare and far between, compared to the abuse
volumes.
And REALLY you need to watch those malicious actors who find that the
long take down times on Cloud providers makes a wonderful place to
launch phishing attacks, and BEC abuse.
The DRE rules are really good for seeing patterns, and reporting them,
as well as having the ability to use IPSET's for both temporary and
permanent blocking, while waiting for those IPs to get onto more public
reputation lists.
CONN: 3.14.96.185 -> 587 GeoIP = [US] PTR =
ec2-3-14-96-185.us-east-2.compute.amazonaws.com
EHLO command received, args: c-50-187-75-45.unallocated.comcastbusiness.net
(Broken AUTH attempts)
CONN: 52.40.86.121 -> 25 GeoIP = [US] PTR =
ec2-52-40-86-121.us-west-2.compute.amazonaws.com
EHLO command received after STARTTLS, args: amz3.us-west-2.compute.internal
(Noexistant Email Accounts, @amz3.securityserve.com)
(Interesting, domain MX is MailGun)
CONN: 3.212.128.62 -> 587 GeoIP = [US] PTR =
ec2-3-212-128-62.compute-1.amazonaws.com
CONN: 34.198.201.66 -> 587 GeoIP = [US] PTR =
ec2-34-198-201-66.compute-1.amazonaws.com
CONN: 18.116.205.62 -> 587 GeoIP = [US] PTR =
ec2-18-116-205-62.us-east-2.compute.amazonaws.com
CONN: 54.167.223.174 -> 587 GeoIP = [US] PTR =
ec2-54-167-223-174.compute-1.amazonaws.com
CONN: 3.12.251.153 -> 587 GeoIP = [US] PTR =
ec2-3-12-251-153.us-east-2.compute.amazonaws.com
(Broken Bots, or service probes)
To date, we have only ONE IP in the exemption list for those, a billing
software that sends invoices..
Just a quick snapshot from the last hours logs..
On 2024-06-25 07:05, Gellner, Oliver via mailop wrote:
On 18.06.2024 at 19:45 . Mark Stone via mailop wrote:
FWIW, we use Fail2Ban to block all AWS EC2 IPs that have an
"ec2-xxx.compute...amazonaws.com" PTR record, and another Fail2Ban rule to block hosts
that HELO with "127.0.0.1".
That's a good idea, except when you have to deal with companies like Everbridge
Inc or Tencent QQ, which apparently think it's a good idea to rent VMs at
various cloud providers and run them with their default config.
----- Original Message -----
| From: "Michael Peddemors via mailop" <mailop@mailop.org>
| To: "mailop" <mailop@mailop.org>
| Sent: Tuesday, June 18, 2024 1:12:18 PM
| Subject: [mailop] Another 'Verified Email' service on AWS EC2
| Jun 18 09:58:03 be msd[1959712]: CONN: 34.229.185.73 -> 25 GeoIP =
| [US] PTR = ec2-34-229-185-73.compute-1.amazonaws.com OS = Linux
| 2.2.x-3.x Jun 18 09:58:04 be msd[1959712]: HELO command received,
| args: [127.0.0.1] Jun 18 09:58:04 be msd[1959712]: RSET command received,
args:
| Jun 18 09:58:04 be msd[1959712]: MAIL command received, args:
| FROM:<verify-no-re...@thrust.io>
|
| * No custom PTR record
| * HELO is obviously bad..
|
| Love the link on their website, trusted by professionals at Amazon,
| Cisco, Adobe..
|
| Fortunately our spam auditing team's DRE (Dynamic Rule Engine) and DFS
| (Distributed Feedback Systems) find these IPs, so they can be shared
| with the community at large.. Of course, our systems don't actually
| let those systems do any email scraping or verification ..
|
| Just another trend on Amazon's EC2 that is getting really old really fast.
Thanks, blocked.
--
BR Oliver
________________________________
dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de>
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
________________________________
Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter
Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns
in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir
personenbezogene Daten. Informationen unter anderem zu den konkreten
Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer
Datenschutzbeauftragten finden Sie
hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
