Extracts of the firewall log are mailed to the relevant IRT/CERT daily. That is suspect abusive behavior. See notes below for the purpose of sending logs.
The ipqbdb firewall randomly blocks TCP/IP packets arriving from bad IP addresses. Addresses are stored in a Berkeley DB, along with the following data:
The destination IPs are those of this host, 62.94.243.226 or sometimes 85.18.98.155. The port numbers are those of the relevant service mentioned in the reason. That is 25, 465 or 587 for SMTP, 143 or 993 for IMAP, 110 or 995 for POP3, etcetera.
The most frequently occurring abuses are caught by parsing the mail.log,
which is produced by a Courier-MTA mail server.
Parsing uses regular expressions where
<HOST> indicates the IP address.
Unauthenticated SMTP client tried to send a message to an address not hosted by this server.
courieresmtpd: error,relay=<HOST>,from=<[^>]*>,to=<[^>]*>: 513 Relaying denied
Client attemptred SMTP authentication with invalid credentials.
courieresmtpd: error,relay=<HOST>,msg="535 Authentication failed.
Client attempted IMAP or POP3 authentication with invalid credentials.
LOGIN FAILED, (?:user|method)=\S* ip=\[<HOST>]
The SMTP client supplied a reverse-path (MAIL FROM, also known as Return-Path address)
whose domain part consists of a non-existing domain.
courieresmtpd: error,relay=<HOST>,from=<[^>]*>: 517-Domain does not exist
The SMTP client supplied a reverse-path (MAIL FROM, also known as Return-Path address)
whose domain does not authorize the relevant IP address. Note that, according to
rfc7208, this server checks a
DNSWL before issuing this failure.
courieresmtpd: error,relay=<HOST>,from=<[^>]*>: 517 SPF fail
Courier is configured to allow a limited number of connections from the same IP address
or class C cluster, which is usually more than enough. The IMAP or SMTP client connection
exceeded that limit.
Maximum connection limit reached for <HOST>
Records can be added to the block database also by dynamic scripts, both web and mail. A tentative list is as follows:
This is issued by the web login script on invalid credentials.
This is issued by the ErrorDocument 401
"Authorization Required"
script, when a web user supplied invalid credentials to access a
subversion repository
This is issued by the LoginAuthenticateAudit
Wiki Global hook,
called on invalid credentials.
This is issued by a number of wp-*.php links.
This is issued after SpamAssassin scan. It requires a score of 9.0, which has about zero false positives. The full spam message may be available in this case, but it's not automatically included in the report.
The recipient address belongs to a list of a few hundred never existing email addresses (apparently generated randomly in order to inflate million-address CDs or similar).
Located in Milano, Italy, tana.it is a tiny mail site, whose few users are also located in Milano for the most part of the year. Hence, failed authorizations from abroad are likely abusive. No apparent abuse, by itself, is illegal. A user could be traveling, or could have asked for a service but provided the wrong credentials to an honest service provider. However, repeated occurrences of suspect abusive behavior —most likely caused by malware infesting users' devices— result in increased probability of being blocked.
Packet blocking disrupts smooth TCP/IP flow, possibly causing annoying delays in users' experience. Logs are mailed out in the hope that they can help identify devices and remove malware, in the interest of the vast majority of Internet users.
This page is a work in progress. Please send any request for additional explanations or action to . Requests to remove IPs from the database are also welcome.
Knowledge exposed above might help bud guys. Please don't divulge this page needlessly.
Copyright © 2019 Alessandro Vesely. All rights reserved.