I'm seeing a lot of hacking attempts from 83.222.190.50 at
a rate of 30 to 200 per second, always using one password
repeatedly on multiple attempts of the same accounts, which
are almost always role accounts (e.g., support@ abuse@ @noc
daemon@ postmaster@ root@), with an occasional non-role
account being attempted (also with the same password).

The only password they're trying to use, and repeatedly
failing with, is: aq!@#

I'm including this above so that it can be included in any
lists of insecure passwords to prevent any accounts that
are permitted to use short passwords from getting abused
by whatever braindead hacking software is being used.

I recommend permanently blocking this IP address, which I
suspect may be running some braindead hacking software.

WHOIS output for 83.222.190.50...

% Information related to '83.222.190.0 - 83.222.191.255'

% Abuse contact for '83.222.190.0 - 83.222.191.255' is
'abuse@4media.bg'

inetnum: 83.222.190.0 - 83.222.191.255
netname: Net_4Media
org: ORG-AA2048-RIPE
country: BG
admin-c: PD8817-RIPE
tech-c: PD8817-RIPE
status: ASSIGNED PA
mnt-by: MNT-LIR-BG
created: 2024-07-03T10:05:33Z
last-modified: 2024-07-03T10:05:33Z
source: RIPE

organisation: ORG-AA2048-RIPE
org-name: 4Media Ltd.
country: BG
org-type: OTHER
address: 35, Ivan Vazov str, Sopot, Bulgaria
abuse-c: AA33554-RIPE
mnt-ref: TAMATYA-MNT
mnt-ref: MNT-LIR-BG
mnt-by: MNT-LIR-BG
created: 2018-05-31T08:09:29Z
last-modified: 2022-12-01T17:00:25Z
source: RIPE # Filtered

person: Petar Dimov
address: hostmaster@4vendeta.com
address: noc@4vendeta.com
phone: +359988865442
nic-hdl: PD8817-RIPE
mnt-by: TAMATYA-MNT
created: 2016-11-06T19:36:43Z
last-modified: 2022-12-20T20:23:46Z
source: RIPE

% Information related to '83.222.190.0/24AS202325'

route: 83.222.190.0/24
origin: AS202325
mnt-by: MNT-LIR-BG
created: 2024-07-03T10:05:33Z
last-modified: 2024-07-03T10:05:33Z
source: RIPE

% Information related to '83.222.190.0/24AS204428'

route: 83.222.190.0/24
origin: AS204428
mnt-by: MNT-LIR-BG
created: 2024-07-03T10:05:33Z
last-modified: 2024-07-03T10:05:33Z
source: RIPE

% Information related to '83.222.190.0/24AS212283'

route: 83.222.190.0/24
origin: AS212283
mnt-by: MNT-LIR-BG
created: 2024-07-12T13:35:21Z
last-modified: 2024-07-12T13:35:21Z
source: RIPE

% This query was served by the RIPE Database Query Service
version 1.113.2 (ABERDEEN)

--
Randolf Richardson 張文道, CNA - noc@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-08-29, Randolf Richardson 張文道 <noc@inter-corporate.com> wrote:

I'm seeing a lot of hacking attempts from 83.222.190.50 [...] I recommend permanently blocking this IP address

My mail server autoblocked this address 45 days ago. The log has recycled since then so I can't say exactly what rule snagged it. Generally it's something like "SASL authentication failed".

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 29 Aug 2024 12:16:31 -0600
Post To Usenet <posttousenet@gmail.com> wrote:

I don't know what OS your mail server is but try something like
fail2ban if it is a Linux based OS to automatically ban these
credits.

I'm running Debian Linux, and I also recommend fail2ban.

https://github.com/fail2ban/fail2ban

https://gist.github.com/pida42/58c8254475757394a055c85c9ed0ce8a

https://en.wikipedia.org/wiki/Fail2ban

It does great at parsing logs and banning login attempts like that
and is a really good Intrusion Detection System ("IDS").

Hope this helps.

Thank you. Your recommendation is a good one, although I'm not
asking for advice -- I already have intrusion detection (and
other aspects of security) taken care of. My posting about
this is as was common over ~15 years ago here in NANAE, in the
hopes that this information may be helpful to others as part of
community participation (plus some other reasons that need not
be mentioned).

On 8/28/2024 11:46 PM, Randolf Richardson 張文道 wrote:

I'm seeing a lot of hacking attempts from 83.222.190.50 at
a rate of 30 to 200 per second, always using one password
repeatedly on multiple attempts of the same accounts, which
are almost always role accounts (e.g., support@ abuse@ @noc
daemon@ postmaster@ root@), with an occasional non-role
account being attempted (also with the same password).

The only password they're trying to use, and repeatedly
failing with, is: aq!@#

I'm including this above so that it can be included in any
lists of insecure passwords to prevent any accounts that
are permitted to use short passwords from getting abused
by whatever braindead hacking software is being used.

I recommend permanently blocking this IP address, which I
suspect may be running some braindead hacking software.

<SNIP>

--
Randolf Richardson 張文道, CNA - noc@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 29 Aug 2024 18:06:54 -0000 (UTC)
Edward McGuire <metaed@metaed.com> wrote:

On 2024-08-29, Randolf Richardson 張文道 <noc@inter-corporate.com> wrote:

I'm seeing a lot of hacking attempts from 83.222.190.50 [...] I recommend permanently blocking this IP address

My mail server autoblocked this address 45 days ago. The log has recycled since

They're probably focusing on one or a small number of target
mail servers at a time. I wonder if they have concerns about
resource limits or if they're just paranoid about attracting
too much attention.

then so I can't say exactly what rule snagged it. Generally it's something like
"SASL authentication failed".

I'd say it's very likely as you suspect. That's what we saw.

--
Randolf Richardson 張文道, CNA - noc@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)