Loading ...
Sorry, an error occurred while loading the content.

how to stop massive email attack in Postfix

Expand Messages
  • c cc
    Hi, For the last few days, I noticed that our postfix server had crawl to a halt due to some kind of email attack. As you can see below, there were a lot of
    Message 1 of 9 , Jun 14, 2013
    View Source
    • 0 Attachment

      Hi,

      For the last few days, I noticed that our postfix server had crawl to a halt due to some kind of email attack. As you can see below, there were a lot of smtp connections.  I was wondering if there is a way to stop this from Postfix? Thanks!

      /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
      tcp        0      0 xx.xx.xx.xx:25 181.66.192.196:11798        ESTABLISHED 17329/smtpd
      tcp        0      0 xx.xx.xx.xx:25 77.42.140.151:54112         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 109.166.128.3:36208         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.46.0.66:16698           ESTABLISHED 17349/smtpd
      tcp        0      0 xx.xx.xx.xx:25 200.106.92.150:60407        ESTABLISHED 17311/smtpd
      tcp        0      0 xx.xx.xx.xx:25 200.116.44.222:6110         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.239.100.173:63612       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.128.59.15:17130         ESTABLISHED 17283/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.7.133.214:15883         ESTABLISHED 17282/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.253.20.138:15164        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.102.157.166:46365       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 180.216.120.164:61509       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 201.232.202.166:28614       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 148.246.28.233:51777        ESTABLISHED 17334/smtpd
      tcp        0      0 xx.xx.xx.xx:25 85.60.169.217:54031         ESTABLISHED 17301/smtpd
      tcp        0      0 xx.xx.xx.xx:25 187.164.36.237:55593        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.236.6.223:9341          ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 187.240.225.225:40376       ESTABLISHED 17314/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.238.4.213:31350         ESTABLISHED 17309/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.31.124.119:22623        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.80.151.145:59686        ESTABLISHED 17287/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.244.126.138:60277       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 181.152.195.116:63834       ESTABLISHED 17315/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.81.180.87:55748         ESTABLISHED 17293/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.42.95.131:63105         ESTABLISHED 17320/smtpd
      tcp        0      0 xx.xx.xx.xx:25 181.65.31.59:3102           ESTABLISHED 17367/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.175.85.22:61079         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 200.63.225.218:6008         ESTABLISHED 17281/smtpd
      tcp        0      0 xx.xx.xx.xx:25 87.217.165.196:63685        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.115.40.232:18637        ESTABLISHED 17300/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.236.212.142:27080       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.119.117.18:64884        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.161.254.42:46097        ESTABLISHED 17313/smtpd
      tcp        0      0 xx.xx.xx.xx:25 189.152.233.54:50479        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 90.162.105.93:2559          ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.42.150.185:20079        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.58.190.55:17119         ESTABLISHED 17352/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.57.230.172:31262        ESTABLISHED 16486/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.43.58.174:49071         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.53.17.201:23806         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.108.231.227:22896       ESTABLISHED 17348/smtpd
      tcp        0      0 xx.xx.xx.xx:25 201.189.27.47:61072         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.158.193.120:58942       ESTABLISHED 17326/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.114.72.131:11939        ESTABLISHED 17370/smtpd
      tcp        0      0 xx.xx.xx.xx:25 201.230.14.195:13105        ESTABLISHED 17365/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.233.197.111:26973       ESTABLISHED 17306/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.208.151.239:65452       ESTABLISHED 17297/smtpd
      tcp        0      0 xx.xx.xx.xx:25 181.67.101.37:10761         ESTABLISHED 17288/smtpd
      tcp        0      0 xx.xx.xx.xx:25 2.135.168.160:60547         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.9.91.38:46712           ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 173.50.30.194:63712         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 146.251.18.36:20162         ESTABLISHED 17346/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.128.154.52:17438        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.20.152.48:42638         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 201.230.26.160:29288        ESTABLISHED 17323/smtpd
      tcp        0      0 xx.xx.xx.xx:25 200.86.71.123:54622         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 212.231.203.54:25378        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.173.195.181:21218       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 187.245.128.233:52645       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.12.163.48:17568         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 181.50.183.84:3573          ESTABLISHED 17357/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.232.164.192:19368       ESTABLISHED 16492/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.238.122.42:13717        ESTABLISHED 17317/smtpd
      tcp        0      0 xx.xx.xx.xx:25 187.234.177.173:62683       ESTABLISHED 17299/smtpd
      tcp        0      0 xx.xx.xx.xx:25 179.233.11.251:60616        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.42.75.207:22648         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.254.161.173:58917       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 201.155.54.241:63883        ESTABLISHED 17331/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.17.4.16:22749           ESTABLISHED 17369/smtpd
      tcp        0      0 xx.xx.xx.xx:25 181.72.72.224:51769         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.236.101.177:29153       ESTABLISHED 17363/smtpd
      tcp        0      0 xx.xx.xx.xx:25 181.65.31.59:4540           ESTABLISHED 17308/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.51.127.101:16117        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 181.67.61.105:18889         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.176.243.208:22861       ESTABLISHED 17316/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.41.30.153:21360         ESTABLISHED 17358/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.129.29.20:50263         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.129.12.122:14134        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 189.195.201.93:49300        ESTABLISHED 17310/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.135.51.114:22274        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 201.244.193.107:25752       ESTABLISHED 17327/smtpd
      tcp        0      0 xx.xx.xx.xx:25 197.2.122.236:16221         ESTABLISHED 17347/smtpd
      tcp        0      0 xx.xx.xx.xx:25 201.250.123.205:17541       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.42.241.211:20418        ESTABLISHED 17303/smtpd
      tcp        0      0 xx.xx.xx.xx:25 2.192.200.155:50008         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.236.52.194:13780        ESTABLISHED 17318/smtpd
      tcp        0      0 xx.xx.xx.xx:25 187.244.5.215:27605         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 188.50.21.236:53567         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 83.175.208.250:52338        ESTABLISHED 17304/smtpd
      tcp        0      0 xx.xx.xx.xx:25 181.66.148.254:30416        ESTABLISHED 17354/smtpd
      tcp        0      0 xx.xx.xx.xx:25 109.65.119.149:58715        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 95.20.221.226:59346         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 103.3.82.175:65054          ESTABLISHED 17344/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.114.75.208:11016        ESTABLISHED 16491/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.30.30.82:23728          ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 188.52.16.176:60279         ESTABLISHED 17333/smtpd
      tcp        0      0 xx.xx.xx.xx:25 181.66.3.103:26830          ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 90.148.22.184:16080         ESTABLISHED 17325/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.239.129.192:63557       ESTABLISHED 17279/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.45.37.10:52460          ESTABLISHED 17289/smtpd
      tcp        0      0 xx.xx.xx.xx:25 37.105.243.115:28423        ESTABLISHED 17336/smtpd
      tcp        0      0 xx.xx.xx.xx:25 200.35.50.214:17489         ESTABLISHED 17341/smtpd
      tcp        0      0 xx.xx.xx.xx:25 201.250.45.202:27525        ESTABLISHED 17345/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.41.180.60:22585         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 181.165.40.143:50072        ESTABLISHED 17366/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.125.154.173:19408       ESTABLISHED 17342/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.174.138.155:24357       ESTABLISHED 17328/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.178.171.98:52960        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.233.17.64:49188         ESTABLISHED 17343/smtpd
      tcp        0      0 xx.xx.xx.xx:25 201.247.117.203:19414       ESTABLISHED 17364/smtpd
      tcp        0      0 xx.xx.xx.xx:25 181.163.241.101:15784       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 170.51.244.247:51639        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.42.179.88:14155         ESTABLISHED 17332/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.245.39.30:15427         ESTABLISHED 17350/smtpd
      tcp        0      0 xx.xx.xx.xx:25 77.65.36.122:65168          ESTABLISHED 17321/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.209.38.88:57887         ESTABLISHED 17284/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.232.187.116:16535       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.233.52.19:27262         ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 2.135.168.160:55098         ESTABLISHED 17338/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.253.175.136:20076       ESTABLISHED 17285/smtpd
      tcp        0      0 xx.xx.xx.xx:25 188.79.135.68:42811         ESTABLISHED 17356/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.239.123.200:13030       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 190.237.36.253:24207        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 201.240.251.3:17321         ESTABLISHED 17290/smtpd
      tcp        0      0 xx.xx.xx.xx:25 190.236.167.102:20367       ESTABLISHED 17339/smtpd
      tcp        0      0 xx.xx.xx.xx:25 186.59.247.117:26653        ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 181.135.169.166:20014       ESTABLISHED -
      tcp        0      0 xx.xx.xx.xx:25 186.134.168.161:53798       ESTABLISHED 17340/smtpd
    • Simon B
      ... Presumably they are connecting more than once? Fail2ban? Simon
      Message 2 of 9 , Jun 14, 2013
      View Source
      • 0 Attachment
        On 14 June 2013 17:44, c cc <subads@...> wrote:
        >
        > Hi,
        >
        > For the last few days, I noticed that our postfix server had crawl to a halt
        > due to some kind of email attack. As you can see below, there were a lot of
        > smtp connections. I was wondering if there is a way to stop this from
        > Postfix? Thanks!
        >
        > /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
        > tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
        > 17329/smtpd
        > tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
        > tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
        > tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED

        Presumably they are connecting more than once? Fail2ban?

        Simon
      • Viktor Dukhovni
        ... Looks more like a botnet, so the connections may not in fact recur. I would consider disabling reverse DNS resolution under stress. Anything that reduces
        Message 3 of 9 , Jun 14, 2013
        View Source
        • 0 Attachment
          On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote:

          > On 14 June 2013 17:44, c cc <subads@...> wrote:
          > >
          > > Hi,
          > >
          > > For the last few days, I noticed that our postfix server had crawl to a halt
          > > due to some kind of email attack. As you can see below, there were a lot of
          > > smtp connections. I was wondering if there is a way to stop this from
          > > Postfix? Thanks!
          > >
          > > /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
          > > tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
          > > 17329/smtpd
          > > tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
          > > tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
          > > tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
          >
          > Presumably they are connecting more than once? Fail2ban?

          Looks more like a botnet, so the connections may not in fact recur.
          I would consider disabling reverse DNS resolution under stress.
          Anything that reduces latency in the SMTP server. Also make sure
          recipient lookups are fast (SAV and RAV may lead to concurrency
          spikes, try to have static sources of recipient information).

          Also raise the number of smtpd(8) processes. The postscreen(8)
          feature may help, but this is best with Postfix 2.10.0 or so.

          --
          Viktor.
        • Robert Schetterer
          ... if you have a massive bot problem , fail2ban is to slow to help i solved it with an iptables recent rsylog combination sorry only german , but tec stuff
          Message 4 of 9 , Jun 14, 2013
          View Source
          • 0 Attachment
            Am 14.06.2013 18:00, schrieb Simon B:
            > On 14 June 2013 17:44, c cc <subads@...> wrote:
            >>
            >> Hi,
            >>
            >> For the last few days, I noticed that our postfix server had crawl to a halt
            >> due to some kind of email attack. As you can see below, there were a lot of
            >> smtp connections. I was wondering if there is a way to stop this from
            >> Postfix? Thanks!
            >>
            >> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
            >> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
            >> 17329/smtpd
            >> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
            >> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
            >> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
            >
            > Presumably they are connecting more than once? Fail2ban?
            >
            > Simon
            >

            if you have a massive bot problem , fail2ban is to slow to help
            i solved it with an iptables recent rsylog combination

            sorry only german , but tec stuff should be understandable anyway

            http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

            http://blog.schaal-24.de/?p=1626

            but be aware such solutions must be well configured and fit to your setup


            Best Regards
            MfG Robert Schetterer

            --
            [*] sys4 AG

            http://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Florian Kirstein
          • Benny Pedersen
            ... no logs, no problem, if he wants help he could start showing postconf -n -- senders that put my email into body content will deliver it to my own trashcan,
            Message 5 of 9 , Jun 14, 2013
            View Source
            • 0 Attachment
              Simon B skrev den 2013-06-14 18:00:

              >> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
              >> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798
              >> ESTABLISHED
              >> 17329/smtpd
              >> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112
              >> ESTABLISHED -
              >> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208
              >> ESTABLISHED -
              >> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698
              >> ESTABLISHED
              >
              > Presumably they are connecting more than once? Fail2ban?

              no logs, no problem, if he wants help he could start showing postconf
              -n

              --
              senders that put my email into body content will deliver it to my own
              trashcan, so if you like to get reply, dont do it
            • Bastian Blank
              On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote: First, get a name. ... Show logs and the config, see http://www.postfix.org/DEBUG_README.html#mail. If
              Message 6 of 9 , Jun 15, 2013
              View Source
              • 0 Attachment
                On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote:

                First, get a name.

                > For the last few days, I noticed that our postfix server had crawl to a
                > halt due to some kind of email attack.

                Show logs and the config, see
                http://www.postfix.org/DEBUG_README.html#mail. If you configure Postfix
                to allow 100 concurent connections, it will gladly do so. If your system
                can't handle this load, lower that count.

                Bastian

                --
                Sometimes a feeling is all we humans have to go on.
                -- Kirk, "A Taste of Armageddon", stardate 3193.9
              • Stan Hoeppner
                ... Quite right, it is a botnet attack. And without further logging, I d guess this is a DOS attack on TCP 25. The clients are probably not even attempting
                Message 7 of 9 , Jun 16, 2013
                View Source
                • 0 Attachment
                  On 6/14/2013 11:19 AM, Viktor Dukhovni wrote:
                  > On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote:
                  >
                  >> On 14 June 2013 17:44, c cc <subads@...> wrote:
                  >>>
                  >>> Hi,
                  >>>
                  >>> For the last few days, I noticed that our postfix server had crawl to a halt
                  >>> due to some kind of email attack. As you can see below, there were a lot of
                  >>> smtp connections. I was wondering if there is a way to stop this from
                  >>> Postfix? Thanks!
                  >>>
                  >>> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
                  >>> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
                  >>> 17329/smtpd
                  >>> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
                  >>> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
                  >>> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
                  >>
                  >> Presumably they are connecting more than once? Fail2ban?
                  >
                  > Looks more like a botnet, so the connections may not in fact recur.

                  Quite right, it is a botnet attack. And without further logging, I'd
                  guess this is a DOS attack on TCP 25. The clients are probably not even
                  attempting delivery, but simply tying up TCP sockets.

                  > I would consider disabling reverse DNS resolution under stress.
                  > Anything that reduces latency in the SMTP server. Also make sure
                  > recipient lookups are fast (SAV and RAV may lead to concurrency
                  > spikes, try to have static sources of recipient information).
                  >
                  > Also raise the number of smtpd(8) processes. The postscreen(8)
                  > feature may help, but this is best with Postfix 2.10.0 or so.

                  This is a scenario purpose built for postscreen, is it not? In lieu of
                  postscreen, and in addition to Viktor's other suggestions, two simple
                  restrictions may have greatly reduced the impact of this attack:

                  1. reject_unknown_reverse_client_hostname
                  2. http://www.hardwarefreak.com/fqrdns.pcre

                  fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
                  contains many of them. I'll be adding the others in the near future.

                  --
                  Stan
                • Viktor Dukhovni
                  ... It could be a dictionary attack, or receiver-side DNS latency, or greet pauses in the SMTP server, or delays due to sender or recipient verification
                  Message 8 of 9 , Jun 16, 2013
                  View Source
                  • 0 Attachment
                    On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:

                    > > Looks more like a botnet, so the connections may not in fact recur.
                    >
                    > Quite right, it is a botnet attack. And without further logging, I'd
                    > guess this is a DOS attack on TCP 25. The clients are probably not even
                    > attempting delivery, but simply tying up TCP sockets.

                    It could be a dictionary attack, or receiver-side DNS latency, or
                    greet pauses in the SMTP server, or delays due to sender or recipient
                    verification probes, or insufficient smtpd(8) concurrency to deal
                    with reasonable peak loads.

                    > This is a scenario purpose built for postscreen, is it not? In lieu of
                    > postscreen, and in addition to Viktor's other suggestions, two simple
                    > restrictions may have greatly reduced the impact of this attack:

                    Yes, postscreen.

                    > 1. reject_unknown_reverse_client_hostname
                    > 2. http://www.hardwarefreak.com/fqrdns.pcre
                    >
                    > fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
                    > contains many of them. I'll be adding the others in the near future.

                    Carefully selected augmentation of the PBL may well be effective.
                    I also hope Stan or someone else reputable can from time to time
                    nominate particurly bot-active CIDR blocks consisting exclusively
                    of consumer-grade DHCP addresses for the PBL (send an email to a
                    contact at SpamHaus).

                    --
                    Viktor.
                  • Stan Hoeppner
                    ... It s a bit of a pity the OP didn t follow up and participate. Some interesting statistics surrounding this apparent botnet attack. I say apparent now
                    Message 9 of 9 , Jun 17, 2013
                    View Source
                    • 0 Attachment
                      On 6/16/2013 12:59 PM, Viktor Dukhovni wrote:
                      > On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:
                      >
                      >>> Looks more like a botnet, so the connections may not in fact recur.
                      >>
                      >> Quite right, it is a botnet attack. And without further logging, I'd
                      >> guess this is a DOS attack on TCP 25. The clients are probably not even
                      >> attempting delivery, but simply tying up TCP sockets.
                      >
                      > It could be a dictionary attack, or receiver-side DNS latency, or
                      > greet pauses in the SMTP server, or delays due to sender or recipient
                      > verification probes, or insufficient smtpd(8) concurrency to deal
                      > with reasonable peak loads.

                      It's a bit of a pity the OP didn't follow up and participate. Some
                      interesting statistics surrounding this apparent botnet attack. I say
                      "apparent" now because I'm beginning to think this may not have been the
                      case at all. Of the 128 IPs he listed from netstat:

                      54 return NXDOMAIN [1]
                      50 would have been REJECTED by fqrdns.pcre [2]
                      128 listed by Zen with 127.0.0.4 (CBL) [3]
                      5 listed by Zen with 127.0.0.10 (PBL) [4]
                      108 listed by Zen with 127.0.0.11 (PBL) [5]

                      reject_unknown_reverse_client_hostname would have rejected 54/128, 42%.
                      That plus fqrdns.pcre, 104/128, 81%. These alone would have stemmed
                      the tide. Now, assuming not all of these had yet hit the CBL, if the OP
                      had been using Zen he'd have still rejected at least 113/128 of these
                      because they were already listed in the PBL at the time of the event.
                      It almost seems as if this Postfix simply had no A/S countermeasures
                      configured at all. Either that or SA was installed assuming it would
                      "just do it" by itself. Maybe one of those insane govt/corp policies
                      that requires all spam to be archived? We can only guess without
                      further input from the OP.

                      ...
                      > Carefully selected augmentation of the PBL may well be effective.
                      > I also hope Stan or someone else reputable can from time to time
                      > nominate particurly bot-active CIDR blocks consisting exclusively
                      > of consumer-grade DHCP addresses for the PBL (send an email to a
                      > contact at SpamHaus).

                      As noted, the PBL already contains 113 of the IPs, and the CBL had all
                      128 either before and/or after this event, most likely before. 113 were
                      dual listed in both the PBL and CBL. This tends to suggest the PBL
                      listings are relatively old. The host in question apparently wasn't
                      configured to use Zen.

                      I have recommended netblocks for inclusion in the PBL in the past.
                      These are taken under advisement. Note that the trap network feeding
                      the CBL is vast, global, on the order of 1 million+ addresses across
                      10K+ domains in just about every country with IP transit. Thus Spamhaus
                      have a much better view of where bots are emitting than me or just about
                      anyone. AIUI, after some $_threshold, if a netblock has constant bot
                      activity, and the provider hasn't voluntarily listed it, Spamhaus will.
                      That's the difference between 127.0.0.11 (Spamhaus maintained) and
                      127.0.0.10 (ISP maintained).

                      Of these 128 Spamhaus listed 108 of them, while ISPs only voluntarily
                      listed 5. This is characteristic of South/Central America, and some
                      other parts of the world. My perception is that in North America,
                      Europe, and the English Commonwealth countries there's typically much
                      larger PBL buy-in among ISPs, less so in other parts of the World. Note
                      these are my perceptions based on word of mouth, personal connections,
                      etc. I do not work for Spamhaus, nor do I speak on behalf of Spamhaus.

                      --
                      Stan



                      [1] $ grep -i nxdomain hostrdns.txt

                      Host 155.200.192.2.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 115.243.105.37.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 151.140.42.77.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 250.208.175.83.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 93.105.162.90.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 175.82.3.103.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 3.128.166.109.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 36.18.251.146.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 116.195.152.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 254.148.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 196.192.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 103.3.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 37.101.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 105.61.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 224.72.72.181.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 18.117.119.186.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 66.0.46.186.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 236.21.50.188.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 176.16.52.188.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 166.157.102.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 88.38.209.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 192.164.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 116.187.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 64.17.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 111.197.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 19.52.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 177.101.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 102.167.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 142.212.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 194.52.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 223.6.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 253.36.237.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 42.122.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 213.4.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 173.100.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 200.123.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 192.129.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 136.175.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 138.20.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 173.161.254.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 60.180.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 153.30.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 185.150.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 88.179.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 211.241.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 207.75.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 131.95.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 174.58.43.190.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 236.122.2.197.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 214.50.35.200.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 203.117.247.201.in-addr.arpa. not found: 3(NXDOMAIN)
                      Host 54.203.231.212.in-addr.arpa. not found: 3(NXDOMAIN)


                      [2] $ while read i; do postmap -q $i pcre:/etc/postfix/fqrdns.pcre;
                      done < rdns|grep REJECT

                      REJECT Generic - Please relay via ISP (icpnet.pl)
                      REJECT Dynamic - Please relay via ISP (orange.es)
                      REJECT Dynamic - Please relay via ISP (jazztel.es)
                      REJECT Dynamic - Please relay via ISP (saudi.net.sa)
                      REJECT Dynamic - Please relay via ISP (jazztel.es)
                      REJECT Generic - Please relay via ISP (bezeqint.net)
                      REJECT Generic - Please relay via ISP (telmex.net.ar)
                      REJECT Generic - Please relay via ISP (virtua.com.br)
                      REJECT Generic - Please relay via ISP (fibertel.com.ar)
                      REJECT Dynamic - Please relay via ISP (cable.net.co)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Dynamic - Please relay via ISP (etb.net.co)
                      REJECT Dynamic - Please relay via ISP (etb.net.co)
                      REJECT Dynamic - Please relay via ISP (anteldata.net.uy)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Dynamic - Please relay via ISP (cable.net.co)
                      REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
                      REJECT Dynamic - Please relay via ISP (jazztel.es)
                      REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
                      REJECT Dynamic - Please relay via ISP (cable.net.co)
                      REJECT Generic - Please relay via ISP (vtr.net)
                      REJECT Generic - Please relay via ISP (fibertel.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (fibertel.com.ar)
                      REJECT Generic - Please relay via ISP (fibertel.com.ar)
                      REJECT Generic - Please relay via ISP (vtr.net)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (codetel.net.do)
                      REJECT Generic - Please relay via ISP (speedy.net.pe)
                      REJECT Generic - Please relay via ISP (epm.net.co)
                      REJECT Generic - Please relay via ISP (satnet.net)
                      REJECT Generic - Please relay via ISP (vtr.net)
                      REJECT Generic - Please relay via ISP (speedy.net.pe)
                      REJECT Generic - Please relay via ISP (speedy.net.pe)
                      REJECT Generic - Please relay via ISP (epm.net.co)
                      REJECT Generic - Please relay via ISP (speedy.net.pe)
                      REJECT Dynamic - Please relay via ISP (etb.net.co)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)
                      REJECT Generic - Please relay via ISP (speedy.com.ar)


                      [3] $ cat zenresult

                      160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                      160.168.135.2.zen.spamhaus.org has address 127.0.0.4
                      160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                      160.168.135.2.zen.spamhaus.org has address 127.0.0.4
                      155.200.192.2.zen.spamhaus.org has address 127.0.0.11
                      155.200.192.2.zen.spamhaus.org has address 127.0.0.4
                      115.243.105.37.zen.spamhaus.org has address 127.0.0.4
                      115.243.105.37.zen.spamhaus.org has address 127.0.0.11
                      151.140.42.77.zen.spamhaus.org has address 127.0.0.11
                      151.140.42.77.zen.spamhaus.org has address 127.0.0.4
                      122.36.65.77.zen.spamhaus.org has address 127.0.0.4
                      122.36.65.77.zen.spamhaus.org has address 127.0.0.11
                      250.208.175.83.zen.spamhaus.org has address 127.0.0.4
                      217.169.60.85.zen.spamhaus.org has address 127.0.0.11
                      217.169.60.85.zen.spamhaus.org has address 127.0.0.4
                      196.165.217.87.zen.spamhaus.org has address 127.0.0.11
                      196.165.217.87.zen.spamhaus.org has address 127.0.0.4
                      184.22.148.90.zen.spamhaus.org has address 127.0.0.4
                      184.22.148.90.zen.spamhaus.org has address 127.0.0.11
                      93.105.162.90.zen.spamhaus.org has address 127.0.0.11
                      93.105.162.90.zen.spamhaus.org has address 127.0.0.4
                      226.221.20.95.zen.spamhaus.org has address 127.0.0.4
                      226.221.20.95.zen.spamhaus.org has address 127.0.0.11
                      175.82.3.103.zen.spamhaus.org has address 127.0.0.11
                      175.82.3.103.zen.spamhaus.org has address 127.0.0.4
                      3.128.166.109.zen.spamhaus.org has address 127.0.0.4
                      3.128.166.109.zen.spamhaus.org has address 127.0.0.11
                      149.119.65.109.zen.spamhaus.org has address 127.0.0.4
                      149.119.65.109.zen.spamhaus.org has address 127.0.0.10
                      36.18.251.146.zen.spamhaus.org has address 127.0.0.4
                      36.18.251.146.zen.spamhaus.org has address 127.0.0.11
                      233.28.246.148.zen.spamhaus.org has address 127.0.0.4
                      247.244.51.170.zen.spamhaus.org has address 127.0.0.11
                      247.244.51.170.zen.spamhaus.org has address 127.0.0.4
                      194.30.50.173.zen.spamhaus.org has address 127.0.0.4
                      251.11.233.179.zen.spamhaus.org has address 127.0.0.4
                      251.11.233.179.zen.spamhaus.org has address 127.0.0.11
                      164.120.216.180.zen.spamhaus.org has address 127.0.0.11
                      164.120.216.180.zen.spamhaus.org has address 127.0.0.4
                      166.169.135.181.zen.spamhaus.org has address 127.0.0.11
                      166.169.135.181.zen.spamhaus.org has address 127.0.0.4
                      116.195.152.181.zen.spamhaus.org has address 127.0.0.4
                      116.195.152.181.zen.spamhaus.org has address 127.0.0.11
                      101.241.163.181.zen.spamhaus.org has address 127.0.0.4
                      101.241.163.181.zen.spamhaus.org has address 127.0.0.11
                      143.40.165.181.zen.spamhaus.org has address 127.0.0.11
                      143.40.165.181.zen.spamhaus.org has address 127.0.0.4
                      84.183.50.181.zen.spamhaus.org has address 127.0.0.4
                      84.183.50.181.zen.spamhaus.org has address 127.0.0.11
                      59.31.65.181.zen.spamhaus.org has address 127.0.0.4
                      59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                      59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                      59.31.65.181.zen.spamhaus.org has address 127.0.0.4
                      254.148.66.181.zen.spamhaus.org has address 127.0.0.4
                      254.148.66.181.zen.spamhaus.org has address 127.0.0.11
                      196.192.66.181.zen.spamhaus.org has address 127.0.0.4
                      196.192.66.181.zen.spamhaus.org has address 127.0.0.11
                      103.3.66.181.zen.spamhaus.org has address 127.0.0.11
                      103.3.66.181.zen.spamhaus.org has address 127.0.0.4
                      37.101.67.181.zen.spamhaus.org has address 127.0.0.4
                      105.61.67.181.zen.spamhaus.org has address 127.0.0.4
                      105.61.67.181.zen.spamhaus.org has address 127.0.0.11
                      224.72.72.181.zen.spamhaus.org has address 127.0.0.11
                      224.72.72.181.zen.spamhaus.org has address 127.0.0.4
                      18.117.119.186.zen.spamhaus.org has address 127.0.0.4
                      173.154.125.186.zen.spamhaus.org has address 127.0.0.4
                      173.154.125.186.zen.spamhaus.org has address 127.0.0.11
                      52.154.128.186.zen.spamhaus.org has address 127.0.0.4
                      52.154.128.186.zen.spamhaus.org has address 127.0.0.11
                      15.59.128.186.zen.spamhaus.org has address 127.0.0.4
                      15.59.128.186.zen.spamhaus.org has address 127.0.0.11
                      122.12.129.186.zen.spamhaus.org has address 127.0.0.11
                      122.12.129.186.zen.spamhaus.org has address 127.0.0.4
                      20.29.129.186.zen.spamhaus.org has address 127.0.0.4
                      20.29.129.186.zen.spamhaus.org has address 127.0.0.11
                      161.168.134.186.zen.spamhaus.org has address 127.0.0.11
                      161.168.134.186.zen.spamhaus.org has address 127.0.0.4
                      114.51.135.186.zen.spamhaus.org has address 127.0.0.4
                      114.51.135.186.zen.spamhaus.org has address 127.0.0.11
                      82.30.30.186.zen.spamhaus.org has address 127.0.0.11
                      82.30.30.186.zen.spamhaus.org has address 127.0.0.4
                      119.124.31.186.zen.spamhaus.org has address 127.0.0.4
                      119.124.31.186.zen.spamhaus.org has address 127.0.0.11
                      66.0.46.186.zen.spamhaus.org has address 127.0.0.4
                      201.17.53.186.zen.spamhaus.org has address 127.0.0.4
                      201.17.53.186.zen.spamhaus.org has address 127.0.0.11
                      172.230.57.186.zen.spamhaus.org has address 127.0.0.4
                      172.230.57.186.zen.spamhaus.org has address 127.0.0.11
                      55.190.58.186.zen.spamhaus.org has address 127.0.0.4
                      55.190.58.186.zen.spamhaus.org has address 127.0.0.11
                      117.247.59.186.zen.spamhaus.org has address 127.0.0.11
                      117.247.59.186.zen.spamhaus.org has address 127.0.0.4
                      87.180.81.186.zen.spamhaus.org has address 127.0.0.11
                      87.180.81.186.zen.spamhaus.org has address 127.0.0.4
                      38.91.9.186.zen.spamhaus.org has address 127.0.0.4
                      38.91.9.186.zen.spamhaus.org has address 127.0.0.11
                      237.36.164.187.zen.spamhaus.org has address 127.0.0.4
                      173.177.234.187.zen.spamhaus.org has address 127.0.0.11
                      173.177.234.187.zen.spamhaus.org has address 127.0.0.4
                      225.225.240.187.zen.spamhaus.org has address 127.0.0.4
                      225.225.240.187.zen.spamhaus.org has address 127.0.0.11
                      215.5.244.187.zen.spamhaus.org has address 127.0.0.4
                      215.5.244.187.zen.spamhaus.org has address 127.0.0.11
                      233.128.245.187.zen.spamhaus.org has address 127.0.0.4
                      233.128.245.187.zen.spamhaus.org has address 127.0.0.11
                      236.21.50.188.zen.spamhaus.org has address 127.0.0.11
                      236.21.50.188.zen.spamhaus.org has address 127.0.0.4
                      176.16.52.188.zen.spamhaus.org has address 127.0.0.11
                      176.16.52.188.zen.spamhaus.org has address 127.0.0.4
                      68.135.79.188.zen.spamhaus.org has address 127.0.0.4
                      68.135.79.188.zen.spamhaus.org has address 127.0.0.11
                      54.233.152.189.zen.spamhaus.org has address 127.0.0.4
                      54.233.152.189.zen.spamhaus.org has address 127.0.0.11
                      93.201.195.189.zen.spamhaus.org has address 127.0.0.11
                      93.201.195.189.zen.spamhaus.org has address 127.0.0.4
                      166.157.102.190.zen.spamhaus.org has address 127.0.0.4
                      227.231.108.190.zen.spamhaus.org has address 127.0.0.4
                      131.72.114.190.zen.spamhaus.org has address 127.0.0.11
                      131.72.114.190.zen.spamhaus.org has address 127.0.0.4
                      208.75.114.190.zen.spamhaus.org has address 127.0.0.4
                      208.75.114.190.zen.spamhaus.org has address 127.0.0.11
                      232.40.115.190.zen.spamhaus.org has address 127.0.0.4
                      232.40.115.190.zen.spamhaus.org has address 127.0.0.11
                      48.163.12.190.zen.spamhaus.org has address 127.0.0.4
                      120.193.158.190.zen.spamhaus.org has address 127.0.0.11
                      120.193.158.190.zen.spamhaus.org has address 127.0.0.4
                      42.254.161.190.zen.spamhaus.org has address 127.0.0.11
                      42.254.161.190.zen.spamhaus.org has address 127.0.0.4
                      16.4.17.190.zen.spamhaus.org has address 127.0.0.4
                      16.4.17.190.zen.spamhaus.org has address 127.0.0.11
                      181.195.173.190.zen.spamhaus.org has address 127.0.0.4
                      181.195.173.190.zen.spamhaus.org has address 127.0.0.11
                      155.138.174.190.zen.spamhaus.org has address 127.0.0.11
                      155.138.174.190.zen.spamhaus.org has address 127.0.0.4
                      22.85.175.190.zen.spamhaus.org has address 127.0.0.4
                      22.85.175.190.zen.spamhaus.org has address 127.0.0.11
                      208.243.176.190.zen.spamhaus.org has address 127.0.0.4
                      208.243.176.190.zen.spamhaus.org has address 127.0.0.11
                      98.171.178.190.zen.spamhaus.org has address 127.0.0.4
                      98.171.178.190.zen.spamhaus.org has address 127.0.0.11
                      48.152.20.190.zen.spamhaus.org has address 127.0.0.11
                      48.152.20.190.zen.spamhaus.org has address 127.0.0.4
                      239.151.208.190.zen.spamhaus.org has address 127.0.0.4
                      88.38.209.190.zen.spamhaus.org has address 127.0.0.11
                      88.38.209.190.zen.spamhaus.org has address 127.0.0.4
                      192.164.232.190.zen.spamhaus.org has address 127.0.0.4
                      192.164.232.190.zen.spamhaus.org has address 127.0.0.11
                      116.187.232.190.zen.spamhaus.org has address 127.0.0.4
                      116.187.232.190.zen.spamhaus.org has address 127.0.0.11
                      64.17.233.190.zen.spamhaus.org has address 127.0.0.11
                      64.17.233.190.zen.spamhaus.org has address 127.0.0.4
                      111.197.233.190.zen.spamhaus.org has address 127.0.0.4
                      111.197.233.190.zen.spamhaus.org has address 127.0.0.11
                      19.52.233.190.zen.spamhaus.org has address 127.0.0.11
                      19.52.233.190.zen.spamhaus.org has address 127.0.0.4
                      177.101.236.190.zen.spamhaus.org has address 127.0.0.11
                      177.101.236.190.zen.spamhaus.org has address 127.0.0.4
                      102.167.236.190.zen.spamhaus.org has address 127.0.0.11
                      102.167.236.190.zen.spamhaus.org has address 127.0.0.4
                      142.212.236.190.zen.spamhaus.org has address 127.0.0.4
                      142.212.236.190.zen.spamhaus.org has address 127.0.0.11
                      194.52.236.190.zen.spamhaus.org has address 127.0.0.4
                      194.52.236.190.zen.spamhaus.org has address 127.0.0.11
                      223.6.236.190.zen.spamhaus.org has address 127.0.0.4
                      223.6.236.190.zen.spamhaus.org has address 127.0.0.11
                      253.36.237.190.zen.spamhaus.org has address 127.0.0.4
                      253.36.237.190.zen.spamhaus.org has address 127.0.0.11
                      42.122.238.190.zen.spamhaus.org has address 127.0.0.4
                      42.122.238.190.zen.spamhaus.org has address 127.0.0.11
                      213.4.238.190.zen.spamhaus.org has address 127.0.0.11
                      213.4.238.190.zen.spamhaus.org has address 127.0.0.4
                      173.100.239.190.zen.spamhaus.org has address 127.0.0.4
                      173.100.239.190.zen.spamhaus.org has address 127.0.0.11
                      200.123.239.190.zen.spamhaus.org has address 127.0.0.11
                      200.123.239.190.zen.spamhaus.org has address 127.0.0.4
                      192.129.239.190.zen.spamhaus.org has address 127.0.0.11
                      192.129.239.190.zen.spamhaus.org has address 127.0.0.4
                      138.126.244.190.zen.spamhaus.org has address 127.0.0.4
                      138.126.244.190.zen.spamhaus.org has address 127.0.0.11
                      30.39.245.190.zen.spamhaus.org has address 127.0.0.11
                      30.39.245.190.zen.spamhaus.org has address 127.0.0.4
                      136.175.253.190.zen.spamhaus.org has address 127.0.0.4
                      136.175.253.190.zen.spamhaus.org has address 127.0.0.11
                      138.20.253.190.zen.spamhaus.org has address 127.0.0.4
                      138.20.253.190.zen.spamhaus.org has address 127.0.0.11
                      173.161.254.190.zen.spamhaus.org has address 127.0.0.11
                      173.161.254.190.zen.spamhaus.org has address 127.0.0.4
                      60.180.41.190.zen.spamhaus.org has address 127.0.0.4
                      60.180.41.190.zen.spamhaus.org has address 127.0.0.11
                      153.30.41.190.zen.spamhaus.org has address 127.0.0.4
                      185.150.42.190.zen.spamhaus.org has address 127.0.0.11
                      185.150.42.190.zen.spamhaus.org has address 127.0.0.4
                      88.179.42.190.zen.spamhaus.org has address 127.0.0.11
                      88.179.42.190.zen.spamhaus.org has address 127.0.0.4
                      211.241.42.190.zen.spamhaus.org has address 127.0.0.4
                      211.241.42.190.zen.spamhaus.org has address 127.0.0.11
                      207.75.42.190.zen.spamhaus.org has address 127.0.0.4
                      207.75.42.190.zen.spamhaus.org has address 127.0.0.11
                      131.95.42.190.zen.spamhaus.org has address 127.0.0.11
                      131.95.42.190.zen.spamhaus.org has address 127.0.0.4
                      174.58.43.190.zen.spamhaus.org has address 127.0.0.11
                      174.58.43.190.zen.spamhaus.org has address 127.0.0.4
                      10.37.45.190.zen.spamhaus.org has address 127.0.0.11
                      10.37.45.190.zen.spamhaus.org has address 127.0.0.4
                      101.127.51.190.zen.spamhaus.org has address 127.0.0.4
                      101.127.51.190.zen.spamhaus.org has address 127.0.0.11
                      214.133.7.190.zen.spamhaus.org has address 127.0.0.4
                      214.133.7.190.zen.spamhaus.org has address 127.0.0.11
                      145.151.80.190.zen.spamhaus.org has address 127.0.0.10
                      145.151.80.190.zen.spamhaus.org has address 127.0.0.4
                      236.122.2.197.zen.spamhaus.org has address 127.0.0.11
                      236.122.2.197.zen.spamhaus.org has address 127.0.0.4
                      150.92.106.200.zen.spamhaus.org has address 127.0.0.4
                      150.92.106.200.zen.spamhaus.org has address 127.0.0.11
                      222.44.116.200.zen.spamhaus.org has address 127.0.0.4
                      222.44.116.200.zen.spamhaus.org has address 127.0.0.10
                      214.50.35.200.zen.spamhaus.org has address 127.0.0.4
                      214.50.35.200.zen.spamhaus.org has address 127.0.0.11
                      218.225.63.200.zen.spamhaus.org has address 127.0.0.11
                      218.225.63.200.zen.spamhaus.org has address 127.0.0.4
                      123.71.86.200.zen.spamhaus.org has address 127.0.0.11
                      123.71.86.200.zen.spamhaus.org has address 127.0.0.4
                      241.54.155.201.zen.spamhaus.org has address 127.0.0.4
                      47.27.189.201.zen.spamhaus.org has address 127.0.0.4
                      47.27.189.201.zen.spamhaus.org has address 127.0.0.11
                      195.14.230.201.zen.spamhaus.org has address 127.0.0.11
                      195.14.230.201.zen.spamhaus.org has address 127.0.0.4
                      160.26.230.201.zen.spamhaus.org has address 127.0.0.4
                      160.26.230.201.zen.spamhaus.org has address 127.0.0.11
                      166.202.232.201.zen.spamhaus.org has address 127.0.0.4
                      166.202.232.201.zen.spamhaus.org has address 127.0.0.10
                      3.251.240.201.zen.spamhaus.org has address 127.0.0.4
                      3.251.240.201.zen.spamhaus.org has address 127.0.0.11
                      107.193.244.201.zen.spamhaus.org has address 127.0.0.10
                      107.193.244.201.zen.spamhaus.org has address 127.0.0.4
                      203.117.247.201.zen.spamhaus.org has address 127.0.0.4
                      205.123.250.201.zen.spamhaus.org has address 127.0.0.4
                      205.123.250.201.zen.spamhaus.org has address 127.0.0.11
                      202.45.250.201.zen.spamhaus.org has address 127.0.0.11
                      202.45.250.201.zen.spamhaus.org has address 127.0.0.4
                      54.203.231.212.zen.spamhaus.org has address 127.0.0.4


                      [4] $ grep 127.0.0.10 zenresult

                      149.119.65.109.zen.spamhaus.org has address 127.0.0.10
                      145.151.80.190.zen.spamhaus.org has address 127.0.0.10
                      222.44.116.200.zen.spamhaus.org has address 127.0.0.10
                      166.202.232.201.zen.spamhaus.org has address 127.0.0.10
                      107.193.244.201.zen.spamhaus.org has address 127.0.0.10


                      [5] $ grep 127.0.0.11 zenresult

                      160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                      160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                      155.200.192.2.zen.spamhaus.org has address 127.0.0.11
                      115.243.105.37.zen.spamhaus.org has address 127.0.0.11
                      151.140.42.77.zen.spamhaus.org has address 127.0.0.11
                      122.36.65.77.zen.spamhaus.org has address 127.0.0.11
                      217.169.60.85.zen.spamhaus.org has address 127.0.0.11
                      196.165.217.87.zen.spamhaus.org has address 127.0.0.11
                      184.22.148.90.zen.spamhaus.org has address 127.0.0.11
                      93.105.162.90.zen.spamhaus.org has address 127.0.0.11
                      226.221.20.95.zen.spamhaus.org has address 127.0.0.11
                      175.82.3.103.zen.spamhaus.org has address 127.0.0.11
                      3.128.166.109.zen.spamhaus.org has address 127.0.0.11
                      36.18.251.146.zen.spamhaus.org has address 127.0.0.11
                      247.244.51.170.zen.spamhaus.org has address 127.0.0.11
                      251.11.233.179.zen.spamhaus.org has address 127.0.0.11
                      164.120.216.180.zen.spamhaus.org has address 127.0.0.11
                      166.169.135.181.zen.spamhaus.org has address 127.0.0.11
                      116.195.152.181.zen.spamhaus.org has address 127.0.0.11
                      101.241.163.181.zen.spamhaus.org has address 127.0.0.11
                      143.40.165.181.zen.spamhaus.org has address 127.0.0.11
                      84.183.50.181.zen.spamhaus.org has address 127.0.0.11
                      59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                      59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                      254.148.66.181.zen.spamhaus.org has address 127.0.0.11
                      196.192.66.181.zen.spamhaus.org has address 127.0.0.11
                      103.3.66.181.zen.spamhaus.org has address 127.0.0.11
                      105.61.67.181.zen.spamhaus.org has address 127.0.0.11
                      224.72.72.181.zen.spamhaus.org has address 127.0.0.11
                      173.154.125.186.zen.spamhaus.org has address 127.0.0.11
                      52.154.128.186.zen.spamhaus.org has address 127.0.0.11
                      15.59.128.186.zen.spamhaus.org has address 127.0.0.11
                      122.12.129.186.zen.spamhaus.org has address 127.0.0.11
                      20.29.129.186.zen.spamhaus.org has address 127.0.0.11
                      161.168.134.186.zen.spamhaus.org has address 127.0.0.11
                      114.51.135.186.zen.spamhaus.org has address 127.0.0.11
                      82.30.30.186.zen.spamhaus.org has address 127.0.0.11
                      119.124.31.186.zen.spamhaus.org has address 127.0.0.11
                      201.17.53.186.zen.spamhaus.org has address 127.0.0.11
                      172.230.57.186.zen.spamhaus.org has address 127.0.0.11
                      55.190.58.186.zen.spamhaus.org has address 127.0.0.11
                      117.247.59.186.zen.spamhaus.org has address 127.0.0.11
                      87.180.81.186.zen.spamhaus.org has address 127.0.0.11
                      38.91.9.186.zen.spamhaus.org has address 127.0.0.11
                      173.177.234.187.zen.spamhaus.org has address 127.0.0.11
                      225.225.240.187.zen.spamhaus.org has address 127.0.0.11
                      215.5.244.187.zen.spamhaus.org has address 127.0.0.11
                      233.128.245.187.zen.spamhaus.org has address 127.0.0.11
                      236.21.50.188.zen.spamhaus.org has address 127.0.0.11
                      176.16.52.188.zen.spamhaus.org has address 127.0.0.11
                      68.135.79.188.zen.spamhaus.org has address 127.0.0.11
                      54.233.152.189.zen.spamhaus.org has address 127.0.0.11
                      93.201.195.189.zen.spamhaus.org has address 127.0.0.11
                      131.72.114.190.zen.spamhaus.org has address 127.0.0.11
                      208.75.114.190.zen.spamhaus.org has address 127.0.0.11
                      232.40.115.190.zen.spamhaus.org has address 127.0.0.11
                      120.193.158.190.zen.spamhaus.org has address 127.0.0.11
                      42.254.161.190.zen.spamhaus.org has address 127.0.0.11
                      16.4.17.190.zen.spamhaus.org has address 127.0.0.11
                      181.195.173.190.zen.spamhaus.org has address 127.0.0.11
                      155.138.174.190.zen.spamhaus.org has address 127.0.0.11
                      22.85.175.190.zen.spamhaus.org has address 127.0.0.11
                      208.243.176.190.zen.spamhaus.org has address 127.0.0.11
                      98.171.178.190.zen.spamhaus.org has address 127.0.0.11
                      48.152.20.190.zen.spamhaus.org has address 127.0.0.11
                      88.38.209.190.zen.spamhaus.org has address 127.0.0.11
                      192.164.232.190.zen.spamhaus.org has address 127.0.0.11
                      116.187.232.190.zen.spamhaus.org has address 127.0.0.11
                      64.17.233.190.zen.spamhaus.org has address 127.0.0.11
                      111.197.233.190.zen.spamhaus.org has address 127.0.0.11
                      19.52.233.190.zen.spamhaus.org has address 127.0.0.11
                      177.101.236.190.zen.spamhaus.org has address 127.0.0.11
                      102.167.236.190.zen.spamhaus.org has address 127.0.0.11
                      142.212.236.190.zen.spamhaus.org has address 127.0.0.11
                      194.52.236.190.zen.spamhaus.org has address 127.0.0.11
                      223.6.236.190.zen.spamhaus.org has address 127.0.0.11
                      253.36.237.190.zen.spamhaus.org has address 127.0.0.11
                      42.122.238.190.zen.spamhaus.org has address 127.0.0.11
                      213.4.238.190.zen.spamhaus.org has address 127.0.0.11
                      173.100.239.190.zen.spamhaus.org has address 127.0.0.11
                      200.123.239.190.zen.spamhaus.org has address 127.0.0.11
                      192.129.239.190.zen.spamhaus.org has address 127.0.0.11
                      138.126.244.190.zen.spamhaus.org has address 127.0.0.11
                      30.39.245.190.zen.spamhaus.org has address 127.0.0.11
                      136.175.253.190.zen.spamhaus.org has address 127.0.0.11
                      138.20.253.190.zen.spamhaus.org has address 127.0.0.11
                      173.161.254.190.zen.spamhaus.org has address 127.0.0.11
                      60.180.41.190.zen.spamhaus.org has address 127.0.0.11
                      185.150.42.190.zen.spamhaus.org has address 127.0.0.11
                      88.179.42.190.zen.spamhaus.org has address 127.0.0.11
                      211.241.42.190.zen.spamhaus.org has address 127.0.0.11
                      207.75.42.190.zen.spamhaus.org has address 127.0.0.11
                      131.95.42.190.zen.spamhaus.org has address 127.0.0.11
                      174.58.43.190.zen.spamhaus.org has address 127.0.0.11
                      10.37.45.190.zen.spamhaus.org has address 127.0.0.11
                      101.127.51.190.zen.spamhaus.org has address 127.0.0.11
                      214.133.7.190.zen.spamhaus.org has address 127.0.0.11
                      236.122.2.197.zen.spamhaus.org has address 127.0.0.11
                      150.92.106.200.zen.spamhaus.org has address 127.0.0.11
                      214.50.35.200.zen.spamhaus.org has address 127.0.0.11
                      218.225.63.200.zen.spamhaus.org has address 127.0.0.11
                      123.71.86.200.zen.spamhaus.org has address 127.0.0.11
                      47.27.189.201.zen.spamhaus.org has address 127.0.0.11
                      195.14.230.201.zen.spamhaus.org has address 127.0.0.11
                      160.26.230.201.zen.spamhaus.org has address 127.0.0.11
                      3.251.240.201.zen.spamhaus.org has address 127.0.0.11
                      205.123.250.201.zen.spamhaus.org has address 127.0.0.11
                      202.45.250.201.zen.spamhaus.org has address 127.0.0.11
                    Your message has been successfully submitted and would be delivered to recipients shortly.