Loading ...
Sorry, an error occurred while loading the content.

Re: how to stop massive email attack in Postfix

Expand Messages
  • Viktor Dukhovni
    ... Looks more like a botnet, so the connections may not in fact recur. I would consider disabling reverse DNS resolution under stress. Anything that reduces
    Message 1 of 9 , Jun 14, 2013
    • 0 Attachment
      On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote:

      > On 14 June 2013 17:44, c cc <subads@...> wrote:
      > >
      > > Hi,
      > >
      > > For the last few days, I noticed that our postfix server had crawl to a halt
      > > due to some kind of email attack. As you can see below, there were a lot of
      > > smtp connections. I was wondering if there is a way to stop this from
      > > Postfix? Thanks!
      > >
      > > /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
      > > tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
      > > 17329/smtpd
      > > tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
      > > tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
      > > tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
      >
      > Presumably they are connecting more than once? Fail2ban?

      Looks more like a botnet, so the connections may not in fact recur.
      I would consider disabling reverse DNS resolution under stress.
      Anything that reduces latency in the SMTP server. Also make sure
      recipient lookups are fast (SAV and RAV may lead to concurrency
      spikes, try to have static sources of recipient information).

      Also raise the number of smtpd(8) processes. The postscreen(8)
      feature may help, but this is best with Postfix 2.10.0 or so.

      --
      Viktor.
    • Robert Schetterer
      ... if you have a massive bot problem , fail2ban is to slow to help i solved it with an iptables recent rsylog combination sorry only german , but tec stuff
      Message 2 of 9 , Jun 14, 2013
      • 0 Attachment
        Am 14.06.2013 18:00, schrieb Simon B:
        > On 14 June 2013 17:44, c cc <subads@...> wrote:
        >>
        >> Hi,
        >>
        >> For the last few days, I noticed that our postfix server had crawl to a halt
        >> due to some kind of email attack. As you can see below, there were a lot of
        >> smtp connections. I was wondering if there is a way to stop this from
        >> Postfix? Thanks!
        >>
        >> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
        >> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
        >> 17329/smtpd
        >> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
        >> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
        >> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
        >
        > Presumably they are connecting more than once? Fail2ban?
        >
        > Simon
        >

        if you have a massive bot problem , fail2ban is to slow to help
        i solved it with an iptables recent rsylog combination

        sorry only german , but tec stuff should be understandable anyway

        http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

        http://blog.schaal-24.de/?p=1626

        but be aware such solutions must be well configured and fit to your setup


        Best Regards
        MfG Robert Schetterer

        --
        [*] sys4 AG

        http://sys4.de, +49 (89) 30 90 46 64
        Franziskanerstraße 15, 81669 München

        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
        Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
        Aufsichtsratsvorsitzender: Florian Kirstein
      • Benny Pedersen
        ... no logs, no problem, if he wants help he could start showing postconf -n -- senders that put my email into body content will deliver it to my own trashcan,
        Message 3 of 9 , Jun 14, 2013
        • 0 Attachment
          Simon B skrev den 2013-06-14 18:00:

          >> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
          >> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798
          >> ESTABLISHED
          >> 17329/smtpd
          >> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112
          >> ESTABLISHED -
          >> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208
          >> ESTABLISHED -
          >> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698
          >> ESTABLISHED
          >
          > Presumably they are connecting more than once? Fail2ban?

          no logs, no problem, if he wants help he could start showing postconf
          -n

          --
          senders that put my email into body content will deliver it to my own
          trashcan, so if you like to get reply, dont do it
        • Bastian Blank
          On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote: First, get a name. ... Show logs and the config, see http://www.postfix.org/DEBUG_README.html#mail. If
          Message 4 of 9 , Jun 15, 2013
          • 0 Attachment
            On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote:

            First, get a name.

            > For the last few days, I noticed that our postfix server had crawl to a
            > halt due to some kind of email attack.

            Show logs and the config, see
            http://www.postfix.org/DEBUG_README.html#mail. If you configure Postfix
            to allow 100 concurent connections, it will gladly do so. If your system
            can't handle this load, lower that count.

            Bastian

            --
            Sometimes a feeling is all we humans have to go on.
            -- Kirk, "A Taste of Armageddon", stardate 3193.9
          • Stan Hoeppner
            ... Quite right, it is a botnet attack. And without further logging, I d guess this is a DOS attack on TCP 25. The clients are probably not even attempting
            Message 5 of 9 , Jun 16, 2013
            • 0 Attachment
              On 6/14/2013 11:19 AM, Viktor Dukhovni wrote:
              > On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote:
              >
              >> On 14 June 2013 17:44, c cc <subads@...> wrote:
              >>>
              >>> Hi,
              >>>
              >>> For the last few days, I noticed that our postfix server had crawl to a halt
              >>> due to some kind of email attack. As you can see below, there were a lot of
              >>> smtp connections. I was wondering if there is a way to stop this from
              >>> Postfix? Thanks!
              >>>
              >>> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
              >>> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
              >>> 17329/smtpd
              >>> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
              >>> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
              >>> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
              >>
              >> Presumably they are connecting more than once? Fail2ban?
              >
              > Looks more like a botnet, so the connections may not in fact recur.

              Quite right, it is a botnet attack. And without further logging, I'd
              guess this is a DOS attack on TCP 25. The clients are probably not even
              attempting delivery, but simply tying up TCP sockets.

              > I would consider disabling reverse DNS resolution under stress.
              > Anything that reduces latency in the SMTP server. Also make sure
              > recipient lookups are fast (SAV and RAV may lead to concurrency
              > spikes, try to have static sources of recipient information).
              >
              > Also raise the number of smtpd(8) processes. The postscreen(8)
              > feature may help, but this is best with Postfix 2.10.0 or so.

              This is a scenario purpose built for postscreen, is it not? In lieu of
              postscreen, and in addition to Viktor's other suggestions, two simple
              restrictions may have greatly reduced the impact of this attack:

              1. reject_unknown_reverse_client_hostname
              2. http://www.hardwarefreak.com/fqrdns.pcre

              fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
              contains many of them. I'll be adding the others in the near future.

              --
              Stan
            • Viktor Dukhovni
              ... It could be a dictionary attack, or receiver-side DNS latency, or greet pauses in the SMTP server, or delays due to sender or recipient verification
              Message 6 of 9 , Jun 16, 2013
              • 0 Attachment
                On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:

                > > Looks more like a botnet, so the connections may not in fact recur.
                >
                > Quite right, it is a botnet attack. And without further logging, I'd
                > guess this is a DOS attack on TCP 25. The clients are probably not even
                > attempting delivery, but simply tying up TCP sockets.

                It could be a dictionary attack, or receiver-side DNS latency, or
                greet pauses in the SMTP server, or delays due to sender or recipient
                verification probes, or insufficient smtpd(8) concurrency to deal
                with reasonable peak loads.

                > This is a scenario purpose built for postscreen, is it not? In lieu of
                > postscreen, and in addition to Viktor's other suggestions, two simple
                > restrictions may have greatly reduced the impact of this attack:

                Yes, postscreen.

                > 1. reject_unknown_reverse_client_hostname
                > 2. http://www.hardwarefreak.com/fqrdns.pcre
                >
                > fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
                > contains many of them. I'll be adding the others in the near future.

                Carefully selected augmentation of the PBL may well be effective.
                I also hope Stan or someone else reputable can from time to time
                nominate particurly bot-active CIDR blocks consisting exclusively
                of consumer-grade DHCP addresses for the PBL (send an email to a
                contact at SpamHaus).

                --
                Viktor.
              • Stan Hoeppner
                ... It s a bit of a pity the OP didn t follow up and participate. Some interesting statistics surrounding this apparent botnet attack. I say apparent now
                Message 7 of 9 , Jun 17, 2013
                • 0 Attachment
                  On 6/16/2013 12:59 PM, Viktor Dukhovni wrote:
                  > On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:
                  >
                  >>> Looks more like a botnet, so the connections may not in fact recur.
                  >>
                  >> Quite right, it is a botnet attack. And without further logging, I'd
                  >> guess this is a DOS attack on TCP 25. The clients are probably not even
                  >> attempting delivery, but simply tying up TCP sockets.
                  >
                  > It could be a dictionary attack, or receiver-side DNS latency, or
                  > greet pauses in the SMTP server, or delays due to sender or recipient
                  > verification probes, or insufficient smtpd(8) concurrency to deal
                  > with reasonable peak loads.

                  It's a bit of a pity the OP didn't follow up and participate. Some
                  interesting statistics surrounding this apparent botnet attack. I say
                  "apparent" now because I'm beginning to think this may not have been the
                  case at all. Of the 128 IPs he listed from netstat:

                  54 return NXDOMAIN [1]
                  50 would have been REJECTED by fqrdns.pcre [2]
                  128 listed by Zen with 127.0.0.4 (CBL) [3]
                  5 listed by Zen with 127.0.0.10 (PBL) [4]
                  108 listed by Zen with 127.0.0.11 (PBL) [5]

                  reject_unknown_reverse_client_hostname would have rejected 54/128, 42%.
                  That plus fqrdns.pcre, 104/128, 81%. These alone would have stemmed
                  the tide. Now, assuming not all of these had yet hit the CBL, if the OP
                  had been using Zen he'd have still rejected at least 113/128 of these
                  because they were already listed in the PBL at the time of the event.
                  It almost seems as if this Postfix simply had no A/S countermeasures
                  configured at all. Either that or SA was installed assuming it would
                  "just do it" by itself. Maybe one of those insane govt/corp policies
                  that requires all spam to be archived? We can only guess without
                  further input from the OP.

                  ...
                  > Carefully selected augmentation of the PBL may well be effective.
                  > I also hope Stan or someone else reputable can from time to time
                  > nominate particurly bot-active CIDR blocks consisting exclusively
                  > of consumer-grade DHCP addresses for the PBL (send an email to a
                  > contact at SpamHaus).

                  As noted, the PBL already contains 113 of the IPs, and the CBL had all
                  128 either before and/or after this event, most likely before. 113 were
                  dual listed in both the PBL and CBL. This tends to suggest the PBL
                  listings are relatively old. The host in question apparently wasn't
                  configured to use Zen.

                  I have recommended netblocks for inclusion in the PBL in the past.
                  These are taken under advisement. Note that the trap network feeding
                  the CBL is vast, global, on the order of 1 million+ addresses across
                  10K+ domains in just about every country with IP transit. Thus Spamhaus
                  have a much better view of where bots are emitting than me or just about
                  anyone. AIUI, after some $_threshold, if a netblock has constant bot
                  activity, and the provider hasn't voluntarily listed it, Spamhaus will.
                  That's the difference between 127.0.0.11 (Spamhaus maintained) and
                  127.0.0.10 (ISP maintained).

                  Of these 128 Spamhaus listed 108 of them, while ISPs only voluntarily
                  listed 5. This is characteristic of South/Central America, and some
                  other parts of the world. My perception is that in North America,
                  Europe, and the English Commonwealth countries there's typically much
                  larger PBL buy-in among ISPs, less so in other parts of the World. Note
                  these are my perceptions based on word of mouth, personal connections,
                  etc. I do not work for Spamhaus, nor do I speak on behalf of Spamhaus.

                  --
                  Stan



                  [1] $ grep -i nxdomain hostrdns.txt

                  Host 155.200.192.2.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 115.243.105.37.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 151.140.42.77.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 250.208.175.83.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 93.105.162.90.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 175.82.3.103.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 3.128.166.109.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 36.18.251.146.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 116.195.152.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 254.148.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 196.192.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 103.3.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 37.101.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 105.61.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 224.72.72.181.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 18.117.119.186.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 66.0.46.186.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 236.21.50.188.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 176.16.52.188.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 166.157.102.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 88.38.209.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 192.164.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 116.187.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 64.17.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 111.197.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 19.52.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 177.101.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 102.167.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 142.212.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 194.52.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 223.6.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 253.36.237.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 42.122.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 213.4.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 173.100.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 200.123.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 192.129.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 136.175.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 138.20.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 173.161.254.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 60.180.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 153.30.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 185.150.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 88.179.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 211.241.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 207.75.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 131.95.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 174.58.43.190.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 236.122.2.197.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 214.50.35.200.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 203.117.247.201.in-addr.arpa. not found: 3(NXDOMAIN)
                  Host 54.203.231.212.in-addr.arpa. not found: 3(NXDOMAIN)


                  [2] $ while read i; do postmap -q $i pcre:/etc/postfix/fqrdns.pcre;
                  done < rdns|grep REJECT

                  REJECT Generic - Please relay via ISP (icpnet.pl)
                  REJECT Dynamic - Please relay via ISP (orange.es)
                  REJECT Dynamic - Please relay via ISP (jazztel.es)
                  REJECT Dynamic - Please relay via ISP (saudi.net.sa)
                  REJECT Dynamic - Please relay via ISP (jazztel.es)
                  REJECT Generic - Please relay via ISP (bezeqint.net)
                  REJECT Generic - Please relay via ISP (telmex.net.ar)
                  REJECT Generic - Please relay via ISP (virtua.com.br)
                  REJECT Generic - Please relay via ISP (fibertel.com.ar)
                  REJECT Dynamic - Please relay via ISP (cable.net.co)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Dynamic - Please relay via ISP (etb.net.co)
                  REJECT Dynamic - Please relay via ISP (etb.net.co)
                  REJECT Dynamic - Please relay via ISP (anteldata.net.uy)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Dynamic - Please relay via ISP (cable.net.co)
                  REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
                  REJECT Dynamic - Please relay via ISP (jazztel.es)
                  REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
                  REJECT Dynamic - Please relay via ISP (cable.net.co)
                  REJECT Generic - Please relay via ISP (vtr.net)
                  REJECT Generic - Please relay via ISP (fibertel.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (fibertel.com.ar)
                  REJECT Generic - Please relay via ISP (fibertel.com.ar)
                  REJECT Generic - Please relay via ISP (vtr.net)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (codetel.net.do)
                  REJECT Generic - Please relay via ISP (speedy.net.pe)
                  REJECT Generic - Please relay via ISP (epm.net.co)
                  REJECT Generic - Please relay via ISP (satnet.net)
                  REJECT Generic - Please relay via ISP (vtr.net)
                  REJECT Generic - Please relay via ISP (speedy.net.pe)
                  REJECT Generic - Please relay via ISP (speedy.net.pe)
                  REJECT Generic - Please relay via ISP (epm.net.co)
                  REJECT Generic - Please relay via ISP (speedy.net.pe)
                  REJECT Dynamic - Please relay via ISP (etb.net.co)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)
                  REJECT Generic - Please relay via ISP (speedy.com.ar)


                  [3] $ cat zenresult

                  160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                  160.168.135.2.zen.spamhaus.org has address 127.0.0.4
                  160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                  160.168.135.2.zen.spamhaus.org has address 127.0.0.4
                  155.200.192.2.zen.spamhaus.org has address 127.0.0.11
                  155.200.192.2.zen.spamhaus.org has address 127.0.0.4
                  115.243.105.37.zen.spamhaus.org has address 127.0.0.4
                  115.243.105.37.zen.spamhaus.org has address 127.0.0.11
                  151.140.42.77.zen.spamhaus.org has address 127.0.0.11
                  151.140.42.77.zen.spamhaus.org has address 127.0.0.4
                  122.36.65.77.zen.spamhaus.org has address 127.0.0.4
                  122.36.65.77.zen.spamhaus.org has address 127.0.0.11
                  250.208.175.83.zen.spamhaus.org has address 127.0.0.4
                  217.169.60.85.zen.spamhaus.org has address 127.0.0.11
                  217.169.60.85.zen.spamhaus.org has address 127.0.0.4
                  196.165.217.87.zen.spamhaus.org has address 127.0.0.11
                  196.165.217.87.zen.spamhaus.org has address 127.0.0.4
                  184.22.148.90.zen.spamhaus.org has address 127.0.0.4
                  184.22.148.90.zen.spamhaus.org has address 127.0.0.11
                  93.105.162.90.zen.spamhaus.org has address 127.0.0.11
                  93.105.162.90.zen.spamhaus.org has address 127.0.0.4
                  226.221.20.95.zen.spamhaus.org has address 127.0.0.4
                  226.221.20.95.zen.spamhaus.org has address 127.0.0.11
                  175.82.3.103.zen.spamhaus.org has address 127.0.0.11
                  175.82.3.103.zen.spamhaus.org has address 127.0.0.4
                  3.128.166.109.zen.spamhaus.org has address 127.0.0.4
                  3.128.166.109.zen.spamhaus.org has address 127.0.0.11
                  149.119.65.109.zen.spamhaus.org has address 127.0.0.4
                  149.119.65.109.zen.spamhaus.org has address 127.0.0.10
                  36.18.251.146.zen.spamhaus.org has address 127.0.0.4
                  36.18.251.146.zen.spamhaus.org has address 127.0.0.11
                  233.28.246.148.zen.spamhaus.org has address 127.0.0.4
                  247.244.51.170.zen.spamhaus.org has address 127.0.0.11
                  247.244.51.170.zen.spamhaus.org has address 127.0.0.4
                  194.30.50.173.zen.spamhaus.org has address 127.0.0.4
                  251.11.233.179.zen.spamhaus.org has address 127.0.0.4
                  251.11.233.179.zen.spamhaus.org has address 127.0.0.11
                  164.120.216.180.zen.spamhaus.org has address 127.0.0.11
                  164.120.216.180.zen.spamhaus.org has address 127.0.0.4
                  166.169.135.181.zen.spamhaus.org has address 127.0.0.11
                  166.169.135.181.zen.spamhaus.org has address 127.0.0.4
                  116.195.152.181.zen.spamhaus.org has address 127.0.0.4
                  116.195.152.181.zen.spamhaus.org has address 127.0.0.11
                  101.241.163.181.zen.spamhaus.org has address 127.0.0.4
                  101.241.163.181.zen.spamhaus.org has address 127.0.0.11
                  143.40.165.181.zen.spamhaus.org has address 127.0.0.11
                  143.40.165.181.zen.spamhaus.org has address 127.0.0.4
                  84.183.50.181.zen.spamhaus.org has address 127.0.0.4
                  84.183.50.181.zen.spamhaus.org has address 127.0.0.11
                  59.31.65.181.zen.spamhaus.org has address 127.0.0.4
                  59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                  59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                  59.31.65.181.zen.spamhaus.org has address 127.0.0.4
                  254.148.66.181.zen.spamhaus.org has address 127.0.0.4
                  254.148.66.181.zen.spamhaus.org has address 127.0.0.11
                  196.192.66.181.zen.spamhaus.org has address 127.0.0.4
                  196.192.66.181.zen.spamhaus.org has address 127.0.0.11
                  103.3.66.181.zen.spamhaus.org has address 127.0.0.11
                  103.3.66.181.zen.spamhaus.org has address 127.0.0.4
                  37.101.67.181.zen.spamhaus.org has address 127.0.0.4
                  105.61.67.181.zen.spamhaus.org has address 127.0.0.4
                  105.61.67.181.zen.spamhaus.org has address 127.0.0.11
                  224.72.72.181.zen.spamhaus.org has address 127.0.0.11
                  224.72.72.181.zen.spamhaus.org has address 127.0.0.4
                  18.117.119.186.zen.spamhaus.org has address 127.0.0.4
                  173.154.125.186.zen.spamhaus.org has address 127.0.0.4
                  173.154.125.186.zen.spamhaus.org has address 127.0.0.11
                  52.154.128.186.zen.spamhaus.org has address 127.0.0.4
                  52.154.128.186.zen.spamhaus.org has address 127.0.0.11
                  15.59.128.186.zen.spamhaus.org has address 127.0.0.4
                  15.59.128.186.zen.spamhaus.org has address 127.0.0.11
                  122.12.129.186.zen.spamhaus.org has address 127.0.0.11
                  122.12.129.186.zen.spamhaus.org has address 127.0.0.4
                  20.29.129.186.zen.spamhaus.org has address 127.0.0.4
                  20.29.129.186.zen.spamhaus.org has address 127.0.0.11
                  161.168.134.186.zen.spamhaus.org has address 127.0.0.11
                  161.168.134.186.zen.spamhaus.org has address 127.0.0.4
                  114.51.135.186.zen.spamhaus.org has address 127.0.0.4
                  114.51.135.186.zen.spamhaus.org has address 127.0.0.11
                  82.30.30.186.zen.spamhaus.org has address 127.0.0.11
                  82.30.30.186.zen.spamhaus.org has address 127.0.0.4
                  119.124.31.186.zen.spamhaus.org has address 127.0.0.4
                  119.124.31.186.zen.spamhaus.org has address 127.0.0.11
                  66.0.46.186.zen.spamhaus.org has address 127.0.0.4
                  201.17.53.186.zen.spamhaus.org has address 127.0.0.4
                  201.17.53.186.zen.spamhaus.org has address 127.0.0.11
                  172.230.57.186.zen.spamhaus.org has address 127.0.0.4
                  172.230.57.186.zen.spamhaus.org has address 127.0.0.11
                  55.190.58.186.zen.spamhaus.org has address 127.0.0.4
                  55.190.58.186.zen.spamhaus.org has address 127.0.0.11
                  117.247.59.186.zen.spamhaus.org has address 127.0.0.11
                  117.247.59.186.zen.spamhaus.org has address 127.0.0.4
                  87.180.81.186.zen.spamhaus.org has address 127.0.0.11
                  87.180.81.186.zen.spamhaus.org has address 127.0.0.4
                  38.91.9.186.zen.spamhaus.org has address 127.0.0.4
                  38.91.9.186.zen.spamhaus.org has address 127.0.0.11
                  237.36.164.187.zen.spamhaus.org has address 127.0.0.4
                  173.177.234.187.zen.spamhaus.org has address 127.0.0.11
                  173.177.234.187.zen.spamhaus.org has address 127.0.0.4
                  225.225.240.187.zen.spamhaus.org has address 127.0.0.4
                  225.225.240.187.zen.spamhaus.org has address 127.0.0.11
                  215.5.244.187.zen.spamhaus.org has address 127.0.0.4
                  215.5.244.187.zen.spamhaus.org has address 127.0.0.11
                  233.128.245.187.zen.spamhaus.org has address 127.0.0.4
                  233.128.245.187.zen.spamhaus.org has address 127.0.0.11
                  236.21.50.188.zen.spamhaus.org has address 127.0.0.11
                  236.21.50.188.zen.spamhaus.org has address 127.0.0.4
                  176.16.52.188.zen.spamhaus.org has address 127.0.0.11
                  176.16.52.188.zen.spamhaus.org has address 127.0.0.4
                  68.135.79.188.zen.spamhaus.org has address 127.0.0.4
                  68.135.79.188.zen.spamhaus.org has address 127.0.0.11
                  54.233.152.189.zen.spamhaus.org has address 127.0.0.4
                  54.233.152.189.zen.spamhaus.org has address 127.0.0.11
                  93.201.195.189.zen.spamhaus.org has address 127.0.0.11
                  93.201.195.189.zen.spamhaus.org has address 127.0.0.4
                  166.157.102.190.zen.spamhaus.org has address 127.0.0.4
                  227.231.108.190.zen.spamhaus.org has address 127.0.0.4
                  131.72.114.190.zen.spamhaus.org has address 127.0.0.11
                  131.72.114.190.zen.spamhaus.org has address 127.0.0.4
                  208.75.114.190.zen.spamhaus.org has address 127.0.0.4
                  208.75.114.190.zen.spamhaus.org has address 127.0.0.11
                  232.40.115.190.zen.spamhaus.org has address 127.0.0.4
                  232.40.115.190.zen.spamhaus.org has address 127.0.0.11
                  48.163.12.190.zen.spamhaus.org has address 127.0.0.4
                  120.193.158.190.zen.spamhaus.org has address 127.0.0.11
                  120.193.158.190.zen.spamhaus.org has address 127.0.0.4
                  42.254.161.190.zen.spamhaus.org has address 127.0.0.11
                  42.254.161.190.zen.spamhaus.org has address 127.0.0.4
                  16.4.17.190.zen.spamhaus.org has address 127.0.0.4
                  16.4.17.190.zen.spamhaus.org has address 127.0.0.11
                  181.195.173.190.zen.spamhaus.org has address 127.0.0.4
                  181.195.173.190.zen.spamhaus.org has address 127.0.0.11
                  155.138.174.190.zen.spamhaus.org has address 127.0.0.11
                  155.138.174.190.zen.spamhaus.org has address 127.0.0.4
                  22.85.175.190.zen.spamhaus.org has address 127.0.0.4
                  22.85.175.190.zen.spamhaus.org has address 127.0.0.11
                  208.243.176.190.zen.spamhaus.org has address 127.0.0.4
                  208.243.176.190.zen.spamhaus.org has address 127.0.0.11
                  98.171.178.190.zen.spamhaus.org has address 127.0.0.4
                  98.171.178.190.zen.spamhaus.org has address 127.0.0.11
                  48.152.20.190.zen.spamhaus.org has address 127.0.0.11
                  48.152.20.190.zen.spamhaus.org has address 127.0.0.4
                  239.151.208.190.zen.spamhaus.org has address 127.0.0.4
                  88.38.209.190.zen.spamhaus.org has address 127.0.0.11
                  88.38.209.190.zen.spamhaus.org has address 127.0.0.4
                  192.164.232.190.zen.spamhaus.org has address 127.0.0.4
                  192.164.232.190.zen.spamhaus.org has address 127.0.0.11
                  116.187.232.190.zen.spamhaus.org has address 127.0.0.4
                  116.187.232.190.zen.spamhaus.org has address 127.0.0.11
                  64.17.233.190.zen.spamhaus.org has address 127.0.0.11
                  64.17.233.190.zen.spamhaus.org has address 127.0.0.4
                  111.197.233.190.zen.spamhaus.org has address 127.0.0.4
                  111.197.233.190.zen.spamhaus.org has address 127.0.0.11
                  19.52.233.190.zen.spamhaus.org has address 127.0.0.11
                  19.52.233.190.zen.spamhaus.org has address 127.0.0.4
                  177.101.236.190.zen.spamhaus.org has address 127.0.0.11
                  177.101.236.190.zen.spamhaus.org has address 127.0.0.4
                  102.167.236.190.zen.spamhaus.org has address 127.0.0.11
                  102.167.236.190.zen.spamhaus.org has address 127.0.0.4
                  142.212.236.190.zen.spamhaus.org has address 127.0.0.4
                  142.212.236.190.zen.spamhaus.org has address 127.0.0.11
                  194.52.236.190.zen.spamhaus.org has address 127.0.0.4
                  194.52.236.190.zen.spamhaus.org has address 127.0.0.11
                  223.6.236.190.zen.spamhaus.org has address 127.0.0.4
                  223.6.236.190.zen.spamhaus.org has address 127.0.0.11
                  253.36.237.190.zen.spamhaus.org has address 127.0.0.4
                  253.36.237.190.zen.spamhaus.org has address 127.0.0.11
                  42.122.238.190.zen.spamhaus.org has address 127.0.0.4
                  42.122.238.190.zen.spamhaus.org has address 127.0.0.11
                  213.4.238.190.zen.spamhaus.org has address 127.0.0.11
                  213.4.238.190.zen.spamhaus.org has address 127.0.0.4
                  173.100.239.190.zen.spamhaus.org has address 127.0.0.4
                  173.100.239.190.zen.spamhaus.org has address 127.0.0.11
                  200.123.239.190.zen.spamhaus.org has address 127.0.0.11
                  200.123.239.190.zen.spamhaus.org has address 127.0.0.4
                  192.129.239.190.zen.spamhaus.org has address 127.0.0.11
                  192.129.239.190.zen.spamhaus.org has address 127.0.0.4
                  138.126.244.190.zen.spamhaus.org has address 127.0.0.4
                  138.126.244.190.zen.spamhaus.org has address 127.0.0.11
                  30.39.245.190.zen.spamhaus.org has address 127.0.0.11
                  30.39.245.190.zen.spamhaus.org has address 127.0.0.4
                  136.175.253.190.zen.spamhaus.org has address 127.0.0.4
                  136.175.253.190.zen.spamhaus.org has address 127.0.0.11
                  138.20.253.190.zen.spamhaus.org has address 127.0.0.4
                  138.20.253.190.zen.spamhaus.org has address 127.0.0.11
                  173.161.254.190.zen.spamhaus.org has address 127.0.0.11
                  173.161.254.190.zen.spamhaus.org has address 127.0.0.4
                  60.180.41.190.zen.spamhaus.org has address 127.0.0.4
                  60.180.41.190.zen.spamhaus.org has address 127.0.0.11
                  153.30.41.190.zen.spamhaus.org has address 127.0.0.4
                  185.150.42.190.zen.spamhaus.org has address 127.0.0.11
                  185.150.42.190.zen.spamhaus.org has address 127.0.0.4
                  88.179.42.190.zen.spamhaus.org has address 127.0.0.11
                  88.179.42.190.zen.spamhaus.org has address 127.0.0.4
                  211.241.42.190.zen.spamhaus.org has address 127.0.0.4
                  211.241.42.190.zen.spamhaus.org has address 127.0.0.11
                  207.75.42.190.zen.spamhaus.org has address 127.0.0.4
                  207.75.42.190.zen.spamhaus.org has address 127.0.0.11
                  131.95.42.190.zen.spamhaus.org has address 127.0.0.11
                  131.95.42.190.zen.spamhaus.org has address 127.0.0.4
                  174.58.43.190.zen.spamhaus.org has address 127.0.0.11
                  174.58.43.190.zen.spamhaus.org has address 127.0.0.4
                  10.37.45.190.zen.spamhaus.org has address 127.0.0.11
                  10.37.45.190.zen.spamhaus.org has address 127.0.0.4
                  101.127.51.190.zen.spamhaus.org has address 127.0.0.4
                  101.127.51.190.zen.spamhaus.org has address 127.0.0.11
                  214.133.7.190.zen.spamhaus.org has address 127.0.0.4
                  214.133.7.190.zen.spamhaus.org has address 127.0.0.11
                  145.151.80.190.zen.spamhaus.org has address 127.0.0.10
                  145.151.80.190.zen.spamhaus.org has address 127.0.0.4
                  236.122.2.197.zen.spamhaus.org has address 127.0.0.11
                  236.122.2.197.zen.spamhaus.org has address 127.0.0.4
                  150.92.106.200.zen.spamhaus.org has address 127.0.0.4
                  150.92.106.200.zen.spamhaus.org has address 127.0.0.11
                  222.44.116.200.zen.spamhaus.org has address 127.0.0.4
                  222.44.116.200.zen.spamhaus.org has address 127.0.0.10
                  214.50.35.200.zen.spamhaus.org has address 127.0.0.4
                  214.50.35.200.zen.spamhaus.org has address 127.0.0.11
                  218.225.63.200.zen.spamhaus.org has address 127.0.0.11
                  218.225.63.200.zen.spamhaus.org has address 127.0.0.4
                  123.71.86.200.zen.spamhaus.org has address 127.0.0.11
                  123.71.86.200.zen.spamhaus.org has address 127.0.0.4
                  241.54.155.201.zen.spamhaus.org has address 127.0.0.4
                  47.27.189.201.zen.spamhaus.org has address 127.0.0.4
                  47.27.189.201.zen.spamhaus.org has address 127.0.0.11
                  195.14.230.201.zen.spamhaus.org has address 127.0.0.11
                  195.14.230.201.zen.spamhaus.org has address 127.0.0.4
                  160.26.230.201.zen.spamhaus.org has address 127.0.0.4
                  160.26.230.201.zen.spamhaus.org has address 127.0.0.11
                  166.202.232.201.zen.spamhaus.org has address 127.0.0.4
                  166.202.232.201.zen.spamhaus.org has address 127.0.0.10
                  3.251.240.201.zen.spamhaus.org has address 127.0.0.4
                  3.251.240.201.zen.spamhaus.org has address 127.0.0.11
                  107.193.244.201.zen.spamhaus.org has address 127.0.0.10
                  107.193.244.201.zen.spamhaus.org has address 127.0.0.4
                  203.117.247.201.zen.spamhaus.org has address 127.0.0.4
                  205.123.250.201.zen.spamhaus.org has address 127.0.0.4
                  205.123.250.201.zen.spamhaus.org has address 127.0.0.11
                  202.45.250.201.zen.spamhaus.org has address 127.0.0.11
                  202.45.250.201.zen.spamhaus.org has address 127.0.0.4
                  54.203.231.212.zen.spamhaus.org has address 127.0.0.4


                  [4] $ grep 127.0.0.10 zenresult

                  149.119.65.109.zen.spamhaus.org has address 127.0.0.10
                  145.151.80.190.zen.spamhaus.org has address 127.0.0.10
                  222.44.116.200.zen.spamhaus.org has address 127.0.0.10
                  166.202.232.201.zen.spamhaus.org has address 127.0.0.10
                  107.193.244.201.zen.spamhaus.org has address 127.0.0.10


                  [5] $ grep 127.0.0.11 zenresult

                  160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                  160.168.135.2.zen.spamhaus.org has address 127.0.0.11
                  155.200.192.2.zen.spamhaus.org has address 127.0.0.11
                  115.243.105.37.zen.spamhaus.org has address 127.0.0.11
                  151.140.42.77.zen.spamhaus.org has address 127.0.0.11
                  122.36.65.77.zen.spamhaus.org has address 127.0.0.11
                  217.169.60.85.zen.spamhaus.org has address 127.0.0.11
                  196.165.217.87.zen.spamhaus.org has address 127.0.0.11
                  184.22.148.90.zen.spamhaus.org has address 127.0.0.11
                  93.105.162.90.zen.spamhaus.org has address 127.0.0.11
                  226.221.20.95.zen.spamhaus.org has address 127.0.0.11
                  175.82.3.103.zen.spamhaus.org has address 127.0.0.11
                  3.128.166.109.zen.spamhaus.org has address 127.0.0.11
                  36.18.251.146.zen.spamhaus.org has address 127.0.0.11
                  247.244.51.170.zen.spamhaus.org has address 127.0.0.11
                  251.11.233.179.zen.spamhaus.org has address 127.0.0.11
                  164.120.216.180.zen.spamhaus.org has address 127.0.0.11
                  166.169.135.181.zen.spamhaus.org has address 127.0.0.11
                  116.195.152.181.zen.spamhaus.org has address 127.0.0.11
                  101.241.163.181.zen.spamhaus.org has address 127.0.0.11
                  143.40.165.181.zen.spamhaus.org has address 127.0.0.11
                  84.183.50.181.zen.spamhaus.org has address 127.0.0.11
                  59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                  59.31.65.181.zen.spamhaus.org has address 127.0.0.11
                  254.148.66.181.zen.spamhaus.org has address 127.0.0.11
                  196.192.66.181.zen.spamhaus.org has address 127.0.0.11
                  103.3.66.181.zen.spamhaus.org has address 127.0.0.11
                  105.61.67.181.zen.spamhaus.org has address 127.0.0.11
                  224.72.72.181.zen.spamhaus.org has address 127.0.0.11
                  173.154.125.186.zen.spamhaus.org has address 127.0.0.11
                  52.154.128.186.zen.spamhaus.org has address 127.0.0.11
                  15.59.128.186.zen.spamhaus.org has address 127.0.0.11
                  122.12.129.186.zen.spamhaus.org has address 127.0.0.11
                  20.29.129.186.zen.spamhaus.org has address 127.0.0.11
                  161.168.134.186.zen.spamhaus.org has address 127.0.0.11
                  114.51.135.186.zen.spamhaus.org has address 127.0.0.11
                  82.30.30.186.zen.spamhaus.org has address 127.0.0.11
                  119.124.31.186.zen.spamhaus.org has address 127.0.0.11
                  201.17.53.186.zen.spamhaus.org has address 127.0.0.11
                  172.230.57.186.zen.spamhaus.org has address 127.0.0.11
                  55.190.58.186.zen.spamhaus.org has address 127.0.0.11
                  117.247.59.186.zen.spamhaus.org has address 127.0.0.11
                  87.180.81.186.zen.spamhaus.org has address 127.0.0.11
                  38.91.9.186.zen.spamhaus.org has address 127.0.0.11
                  173.177.234.187.zen.spamhaus.org has address 127.0.0.11
                  225.225.240.187.zen.spamhaus.org has address 127.0.0.11
                  215.5.244.187.zen.spamhaus.org has address 127.0.0.11
                  233.128.245.187.zen.spamhaus.org has address 127.0.0.11
                  236.21.50.188.zen.spamhaus.org has address 127.0.0.11
                  176.16.52.188.zen.spamhaus.org has address 127.0.0.11
                  68.135.79.188.zen.spamhaus.org has address 127.0.0.11
                  54.233.152.189.zen.spamhaus.org has address 127.0.0.11
                  93.201.195.189.zen.spamhaus.org has address 127.0.0.11
                  131.72.114.190.zen.spamhaus.org has address 127.0.0.11
                  208.75.114.190.zen.spamhaus.org has address 127.0.0.11
                  232.40.115.190.zen.spamhaus.org has address 127.0.0.11
                  120.193.158.190.zen.spamhaus.org has address 127.0.0.11
                  42.254.161.190.zen.spamhaus.org has address 127.0.0.11
                  16.4.17.190.zen.spamhaus.org has address 127.0.0.11
                  181.195.173.190.zen.spamhaus.org has address 127.0.0.11
                  155.138.174.190.zen.spamhaus.org has address 127.0.0.11
                  22.85.175.190.zen.spamhaus.org has address 127.0.0.11
                  208.243.176.190.zen.spamhaus.org has address 127.0.0.11
                  98.171.178.190.zen.spamhaus.org has address 127.0.0.11
                  48.152.20.190.zen.spamhaus.org has address 127.0.0.11
                  88.38.209.190.zen.spamhaus.org has address 127.0.0.11
                  192.164.232.190.zen.spamhaus.org has address 127.0.0.11
                  116.187.232.190.zen.spamhaus.org has address 127.0.0.11
                  64.17.233.190.zen.spamhaus.org has address 127.0.0.11
                  111.197.233.190.zen.spamhaus.org has address 127.0.0.11
                  19.52.233.190.zen.spamhaus.org has address 127.0.0.11
                  177.101.236.190.zen.spamhaus.org has address 127.0.0.11
                  102.167.236.190.zen.spamhaus.org has address 127.0.0.11
                  142.212.236.190.zen.spamhaus.org has address 127.0.0.11
                  194.52.236.190.zen.spamhaus.org has address 127.0.0.11
                  223.6.236.190.zen.spamhaus.org has address 127.0.0.11
                  253.36.237.190.zen.spamhaus.org has address 127.0.0.11
                  42.122.238.190.zen.spamhaus.org has address 127.0.0.11
                  213.4.238.190.zen.spamhaus.org has address 127.0.0.11
                  173.100.239.190.zen.spamhaus.org has address 127.0.0.11
                  200.123.239.190.zen.spamhaus.org has address 127.0.0.11
                  192.129.239.190.zen.spamhaus.org has address 127.0.0.11
                  138.126.244.190.zen.spamhaus.org has address 127.0.0.11
                  30.39.245.190.zen.spamhaus.org has address 127.0.0.11
                  136.175.253.190.zen.spamhaus.org has address 127.0.0.11
                  138.20.253.190.zen.spamhaus.org has address 127.0.0.11
                  173.161.254.190.zen.spamhaus.org has address 127.0.0.11
                  60.180.41.190.zen.spamhaus.org has address 127.0.0.11
                  185.150.42.190.zen.spamhaus.org has address 127.0.0.11
                  88.179.42.190.zen.spamhaus.org has address 127.0.0.11
                  211.241.42.190.zen.spamhaus.org has address 127.0.0.11
                  207.75.42.190.zen.spamhaus.org has address 127.0.0.11
                  131.95.42.190.zen.spamhaus.org has address 127.0.0.11
                  174.58.43.190.zen.spamhaus.org has address 127.0.0.11
                  10.37.45.190.zen.spamhaus.org has address 127.0.0.11
                  101.127.51.190.zen.spamhaus.org has address 127.0.0.11
                  214.133.7.190.zen.spamhaus.org has address 127.0.0.11
                  236.122.2.197.zen.spamhaus.org has address 127.0.0.11
                  150.92.106.200.zen.spamhaus.org has address 127.0.0.11
                  214.50.35.200.zen.spamhaus.org has address 127.0.0.11
                  218.225.63.200.zen.spamhaus.org has address 127.0.0.11
                  123.71.86.200.zen.spamhaus.org has address 127.0.0.11
                  47.27.189.201.zen.spamhaus.org has address 127.0.0.11
                  195.14.230.201.zen.spamhaus.org has address 127.0.0.11
                  160.26.230.201.zen.spamhaus.org has address 127.0.0.11
                  3.251.240.201.zen.spamhaus.org has address 127.0.0.11
                  205.123.250.201.zen.spamhaus.org has address 127.0.0.11
                  202.45.250.201.zen.spamhaus.org has address 127.0.0.11
                Your message has been successfully submitted and would be delivered to recipients shortly.