For the first time since I can remember, my POP3 server was effectively shut down by too many simultaneous connections today. The first fix I tried was to raise the number of connections from the default 40 to 100, but the problem soon returned. I finally ipfw'd off the offending IP (98.190.204.2 for anyone interested), then went to look for other possible offenders in the log. I noticed several thousand connections today to a few dozen former users from 4 IPs from 208.70.128.0/21. One of the users was actually legitimate. These IPs belong to mailanyone.net. The tech contact in their ARIN record is listed as: OrgTechHandle: BHE57-ARIN OrgTechName: Heitman, Bryan OrgTechPhone: +1-816-587-4700 OrgTechEmail: hostmaster@mailanyone.net However, that phone number goes to a UPS store that has no idea what I'm talking about. I then dialed their suppseod NOC number: Comment: FuseMail, LLC Network Operations Center contact Comment: 877.888.3873 x3 I am on hold with that number right now with some very loud and annoying music. Can anyone offer any insight as to these people and how/who to deal with there? Would a provider be amiss to just block their entire /21? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
Issues with gmail.com here in DC Winn Johnston ________________________________________ From: up@3.am [up@3.am] Sent: Tuesday, September 01, 2009 3:28 PM To: nanog@nanog.org Subject: POP3 DoS attacks and mailanyone.net? For the first time since I can remember, my POP3 server was effectively shut down by too many simultaneous connections today. The first fix I tried was to raise the number of connections from the default 40 to 100, but the problem soon returned. I finally ipfw'd off the offending IP (98.190.204.2 for anyone interested), then went to look for other possible offenders in the log. I noticed several thousand connections today to a few dozen former users from 4 IPs from 208.70.128.0/21. One of the users was actually legitimate. These IPs belong to mailanyone.net. The tech contact in their ARIN record is listed as: OrgTechHandle: BHE57-ARIN OrgTechName: Heitman, Bryan OrgTechPhone: +1-816-587-4700 OrgTechEmail: hostmaster@mailanyone.net However, that phone number goes to a UPS store that has no idea what I'm talking about. I then dialed their suppseod NOC number: Comment: FuseMail, LLC Network Operations Center contact Comment: 877.888.3873 x3 I am on hold with that number right now with some very loud and annoying music. Can anyone offer any insight as to these people and how/who to deal with there? Would a provider be amiss to just block their entire /21? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am ========================================================================= ______________________________________________________________________ This inbound email was scanned by MessageLabs _____________________________________________________________________ ______________________________________________________________________ This email was scanned by MessageLabs _____________________________________________________________________
Hummm. Looking through some of my data I found that the domain NORTHROANOKE.COM resolves to 98.190.204.2 (the first attack vector). That box is running Microsoft Business Server 2003. NORTHROANOKE.COM appears to be some kind of assisted living facility in Roanoke, Virginia (based on whois). Doesn't look gmail related from that perspective... Andrew Andrew Fried andrew.fried@gmail.com Winn Johnston wrote:
Issues with gmail.com
here in DC
Winn Johnston ________________________________________ From: up@3.am [up@3.am] Sent: Tuesday, September 01, 2009 3:28 PM To: nanog@nanog.org Subject: POP3 DoS attacks and mailanyone.net?
For the first time since I can remember, my POP3 server was effectively shut down by too many simultaneous connections today. The first fix I tried was to raise the number of connections from the default 40 to 100, but the problem soon returned.
I finally ipfw'd off the offending IP (98.190.204.2 for anyone interested), then went to look for other possible offenders in the log. I noticed several thousand connections today to a few dozen former users from 4 IPs from 208.70.128.0/21. One of the users was actually legitimate.
These IPs belong to mailanyone.net. The tech contact in their ARIN record is listed as:
OrgTechHandle: BHE57-ARIN OrgTechName: Heitman, Bryan OrgTechPhone: +1-816-587-4700 OrgTechEmail: hostmaster@mailanyone.net
However, that phone number goes to a UPS store that has no idea what I'm talking about. I then dialed their suppseod NOC number:
Comment: FuseMail, LLC Network Operations Center contact Comment: 877.888.3873 x3
I am on hold with that number right now with some very loud and annoying music.
Can anyone offer any insight as to these people and how/who to deal with there?
Would a provider be amiss to just block their entire /21?
TIA,
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
______________________________________________________________________ This inbound email was scanned by MessageLabs _____________________________________________________________________
______________________________________________________________________ This email was scanned by MessageLabs _____________________________________________________________________
participants (3)
-
Andrew Fried -
up@3.am -
Winn Johnston