Loading ...
Sorry, an error occurred while loading the content.

Re: how to stop massive email attack in Postfix

Expand Messages
  • Benny Pedersen
    ... no logs, no problem, if he wants help he could start showing postconf -n -- senders that put my email into body content will deliver it to my own trashcan,
    Message 1 of 9 , Jun 14, 2013
    • 0 Attachment
      Simon B skrev den 2013-06-14 18:00:

      >> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
      >> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798
      >> ESTABLISHED
      >> 17329/smtpd
      >> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112
      >> ESTABLISHED -
      >> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208
      >> ESTABLISHED -
      >> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698
      >> ESTABLISHED
      >
      > Presumably they are connecting more than once? Fail2ban?

      no logs, no problem, if he wants help he could start showing postconf
      -n

      --
      senders that put my email into body content will deliver it to my own
      trashcan, so if you like to get reply, dont do it
    • Bastian Blank
      On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote: First, get a name. ... Show logs and the config, see http://www.postfix.org/DEBUG_README.html#mail. If
      Message 2 of 9 , Jun 15, 2013
      • 0 Attachment
        On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote:

        First, get a name.

        > For the last few days, I noticed that our postfix server had crawl to a
        > halt due to some kind of email attack.

        Show logs and the config, see
        http://www.postfix.org/DEBUG_README.html#mail. If you configure Postfix
        to allow 100 concurent connections, it will gladly do so. If your system
        can't handle this load, lower that count.

        Bastian

        --
        Sometimes a feeling is all we humans have to go on.
        -- Kirk, "A Taste of Armageddon", stardate 3193.9
      • Stan Hoeppner
        ... Quite right, it is a botnet attack. And without further logging, I d guess this is a DOS attack on TCP 25. The clients are probably not even attempting
        Message 3 of 9 , Jun 16, 2013
        • 0 Attachment
          On 6/14/2013 11:19 AM, Viktor Dukhovni wrote:
          > On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote:
          >
          >> On 14 June 2013 17:44, c cc <subads@...> wrote:
          >>>
          >>> Hi,
          >>>
          >>> For the last few days, I noticed that our postfix server had crawl to a halt
          >>> due to some kind of email attack. As you can see below, there were a lot of
          >>> smtp connections. I was wondering if there is a way to stop this from
          >>> Postfix? Thanks!
          >>>
          >>> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
          >>> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
          >>> 17329/smtpd
          >>> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
          >>> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
          >>> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
          >>
          >> Presumably they are connecting more than once? Fail2ban?
          >
          > Looks more like a botnet, so the connections may not in fact recur.

          Quite right, it is a botnet attack. And without further logging, I'd
          guess this is a DOS attack on TCP 25. The clients are probably not even
          attempting delivery, but simply tying up TCP sockets.

          > I would consider disabling reverse DNS resolution under stress.
          > Anything that reduces latency in the SMTP server. Also make sure
          > recipient lookups are fast (SAV and RAV may lead to concurrency
          > spikes, try to have static sources of recipient information).
          >
          > Also raise the number of smtpd(8) processes. The postscreen(8)
          > feature may help, but this is best with Postfix 2.10.0 or so.

          This is a scenario purpose built for postscreen, is it not? In lieu of
          postscreen, and in addition to Viktor's other suggestions, two simple
          restrictions may have greatly reduced the impact of this attack:

          1. reject_unknown_reverse_client_hostname
          2. http://www.hardwarefreak.com/fqrdns.pcre

          fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
          contains many of them. I'll be adding the others in the near future.

          --
          Stan
        • Viktor Dukhovni
          ... It could be a dictionary attack, or receiver-side DNS latency, or greet pauses in the SMTP server, or delays due to sender or recipient verification
          Message 4 of 9 , Jun 16, 2013
          • 0 Attachment
            On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:

            > > Looks more like a botnet, so the connections may not in fact recur.
            >
            > Quite right, it is a botnet attack. And without further logging, I'd
            > guess this is a DOS attack on TCP 25. The clients are probably not even
            > attempting delivery, but simply tying up TCP sockets.

            It could be a dictionary attack, or receiver-side DNS latency, or
            greet pauses in the SMTP server, or delays due to sender or recipient
            verification probes, or insufficient smtpd(8) concurrency to deal
            with reasonable peak loads.

            > This is a scenario purpose built for postscreen, is it not? In lieu of
            > postscreen, and in addition to Viktor's other suggestions, two simple
            > restrictions may have greatly reduced the impact of this attack:

            Yes, postscreen.

            > 1. reject_unknown_reverse_client_hostname
            > 2. http://www.hardwarefreak.com/fqrdns.pcre
            >
            > fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
            > contains many of them. I'll be adding the others in the near future.

            Carefully selected augmentation of the PBL may well be effective.
            I also hope Stan or someone else reputable can from time to time
            nominate particurly bot-active CIDR blocks consisting exclusively
            of consumer-grade DHCP addresses for the PBL (send an email to a
            contact at SpamHaus).

            --
            Viktor.
          • Stan Hoeppner
            ... It s a bit of a pity the OP didn t follow up and participate. Some interesting statistics surrounding this apparent botnet attack. I say apparent now
            Message 5 of 9 , Jun 17, 2013
            • 0 Attachment
              On 6/16/2013 12:59 PM, Viktor Dukhovni wrote:
              > On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:
              >
              >>> Looks more like a botnet, so the connections may not in fact recur.
              >>
              >> Quite right, it is a botnet attack. And without further logging, I'd
              >> guess this is a DOS attack on TCP 25. The clients are probably not even
              >> attempting delivery, but simply tying up TCP sockets.
              >
              > It could be a dictionary attack, or receiver-side DNS latency, or
              > greet pauses in the SMTP server, or delays due to sender or recipient
              > verification probes, or insufficient smtpd(8) concurrency to deal
              > with reasonable peak loads.

              It's a bit of a pity the OP didn't follow up and participate. Some
              interesting statistics surrounding this apparent botnet attack. I say
              "apparent" now because I'm beginning to think this may not have been the
              case at all. Of the 128 IPs he listed from netstat:

              54 return NXDOMAIN [1]
              50 would have been REJECTED by fqrdns.pcre [2]
              128 listed by Zen with 127.0.0.4 (CBL) [3]
              5 listed by Zen with 127.0.0.10 (PBL) [4]
              108 listed by Zen with 127.0.0.11 (PBL) [5]

              reject_unknown_reverse_client_hostname would have rejected 54/128, 42%.
              That plus fqrdns.pcre, 104/128, 81%. These alone would have stemmed
              the tide. Now, assuming not all of these had yet hit the CBL, if the OP
              had been using Zen he'd have still rejected at least 113/128 of these
              because they were already listed in the PBL at the time of the event.
              It almost seems as if this Postfix simply had no A/S countermeasures
              configured at all. Either that or SA was installed assuming it would
              "just do it" by itself. Maybe one of those insane govt/corp policies
              that requires all spam to be archived? We can only guess without
              further input from the OP.

              ...
              > Carefully selected augmentation of the PBL may well be effective.
              > I also hope Stan or someone else reputable can from time to time
              > nominate particurly bot-active CIDR blocks consisting exclusively
              > of consumer-grade DHCP addresses for the PBL (send an email to a
              > contact at SpamHaus).

              As noted, the PBL already contains 113 of the IPs, and the CBL had all
              128 either before and/or after this event, most likely before. 113 were
              dual listed in both the PBL and CBL. This tends to suggest the PBL
              listings are relatively old. The host in question apparently wasn't
              configured to use Zen.

              I have recommended netblocks for inclusion in the PBL in the past.
              These are taken under advisement. Note that the trap network feeding
              the CBL is vast, global, on the order of 1 million+ addresses across
              10K+ domains in just about every country with IP transit. Thus Spamhaus
              have a much better view of where bots are emitting than me or just about
              anyone. AIUI, after some $_threshold, if a netblock has constant bot
              activity, and the provider hasn't voluntarily listed it, Spamhaus will.
              That's the difference between 127.0.0.11 (Spamhaus maintained) and
              127.0.0.10 (ISP maintained).

              Of these 128 Spamhaus listed 108 of them, while ISPs only voluntarily
              listed 5. This is characteristic of South/Central America, and some
              other parts of the world. My perception is that in North America,
              Europe, and the English Commonwealth countries there's typically much
              larger PBL buy-in among ISPs, less so in other parts of the World. Note
              these are my perceptions based on word of mouth, personal connections,
              etc. I do not work for Spamhaus, nor do I speak on behalf of Spamhaus.

              --
              Stan



              [1] $ grep -i nxdomain hostrdns.txt

              Host 155.200.192.2.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 115.243.105.37.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 151.140.42.77.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 250.208.175.83.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 93.105.162.90.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 175.82.3.103.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 3.128.166.109.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 36.18.251.146.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 116.195.152.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 254.148.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 196.192.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 103.3.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 37.101.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 105.61.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 224.72.72.181.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 18.117.119.186.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 66.0.46.186.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 236.21.50.188.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 176.16.52.188.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 166.157.102.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 88.38.209.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 192.164.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 116.187.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 64.17.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 111.197.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 19.52.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 177.101.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 102.167.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 142.212.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 194.52.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 223.6.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 253.36.237.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 42.122.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 213.4.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 173.100.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 200.123.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 192.129.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 136.175.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 138.20.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 173.161.254.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 60.180.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 153.30.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 185.150.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 88.179.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 211.241.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 207.75.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 131.95.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 174.58.43.190.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 236.122.2.197.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 214.50.35.200.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 203.117.247.201.in-addr.arpa. not found: 3(NXDOMAIN)
              Host 54.203.231.212.in-addr.arpa. not found: 3(NXDOMAIN)


              [2] $ while read i; do postmap -q $i pcre:/etc/postfix/fqrdns.pcre;
              done < rdns|grep REJECT

              REJECT Generic - Please relay via ISP (icpnet.pl)
              REJECT Dynamic - Please relay via ISP (orange.es)
              REJECT Dynamic - Please relay via ISP (jazztel.es)
              REJECT Dynamic - Please relay via ISP (saudi.net.sa)
              REJECT Dynamic - Please relay via ISP (jazztel.es)
              REJECT Generic - Please relay via ISP (bezeqint.net)
              REJECT Generic - Please relay via ISP (telmex.net.ar)
              REJECT Generic - Please relay via ISP (virtua.com.br)
              REJECT Generic - Please relay via ISP (fibertel.com.ar)
              REJECT Dynamic - Please relay via ISP (cable.net.co)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Dynamic - Please relay via ISP (etb.net.co)
              REJECT Dynamic - Please relay via ISP (etb.net.co)
              REJECT Dynamic - Please relay via ISP (anteldata.net.uy)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Dynamic - Please relay via ISP (cable.net.co)
              REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
              REJECT Dynamic - Please relay via ISP (jazztel.es)
              REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
              REJECT Dynamic - Please relay via ISP (cable.net.co)
              REJECT Generic - Please relay via ISP (vtr.net)
              REJECT Generic - Please relay via ISP (fibertel.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (fibertel.com.ar)
              REJECT Generic - Please relay via ISP (fibertel.com.ar)
              REJECT Generic - Please relay via ISP (vtr.net)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (codetel.net.do)
              REJECT Generic - Please relay via ISP (speedy.net.pe)
              REJECT Generic - Please relay via ISP (epm.net.co)
              REJECT Generic - Please relay via ISP (satnet.net)
              REJECT Generic - Please relay via ISP (vtr.net)
              REJECT Generic - Please relay via ISP (speedy.net.pe)
              REJECT Generic - Please relay via ISP (speedy.net.pe)
              REJECT Generic - Please relay via ISP (epm.net.co)
              REJECT Generic - Please relay via ISP (speedy.net.pe)
              REJECT Dynamic - Please relay via ISP (etb.net.co)
              REJECT Generic - Please relay via ISP (speedy.com.ar)
              REJECT Generic - Please relay via ISP (speedy.com.ar)


              [3] $ cat zenresult

              160.168.135.2.zen.spamhaus.org has address 127.0.0.11
              160.168.135.2.zen.spamhaus.org has address 127.0.0.4
              160.168.135.2.zen.spamhaus.org has address 127.0.0.11
              160.168.135.2.zen.spamhaus.org has address 127.0.0.4
              155.200.192.2.zen.spamhaus.org has address 127.0.0.11
              155.200.192.2.zen.spamhaus.org has address 127.0.0.4
              115.243.105.37.zen.spamhaus.org has address 127.0.0.4
              115.243.105.37.zen.spamhaus.org has address 127.0.0.11
              151.140.42.77.zen.spamhaus.org has address 127.0.0.11
              151.140.42.77.zen.spamhaus.org has address 127.0.0.4
              122.36.65.77.zen.spamhaus.org has address 127.0.0.4
              122.36.65.77.zen.spamhaus.org has address 127.0.0.11
              250.208.175.83.zen.spamhaus.org has address 127.0.0.4
              217.169.60.85.zen.spamhaus.org has address 127.0.0.11
              217.169.60.85.zen.spamhaus.org has address 127.0.0.4
              196.165.217.87.zen.spamhaus.org has address 127.0.0.11
              196.165.217.87.zen.spamhaus.org has address 127.0.0.4
              184.22.148.90.zen.spamhaus.org has address 127.0.0.4
              184.22.148.90.zen.spamhaus.org has address 127.0.0.11
              93.105.162.90.zen.spamhaus.org has address 127.0.0.11
              93.105.162.90.zen.spamhaus.org has address 127.0.0.4
              226.221.20.95.zen.spamhaus.org has address 127.0.0.4
              226.221.20.95.zen.spamhaus.org has address 127.0.0.11
              175.82.3.103.zen.spamhaus.org has address 127.0.0.11
              175.82.3.103.zen.spamhaus.org has address 127.0.0.4
              3.128.166.109.zen.spamhaus.org has address 127.0.0.4
              3.128.166.109.zen.spamhaus.org has address 127.0.0.11
              149.119.65.109.zen.spamhaus.org has address 127.0.0.4
              149.119.65.109.zen.spamhaus.org has address 127.0.0.10
              36.18.251.146.zen.spamhaus.org has address 127.0.0.4
              36.18.251.146.zen.spamhaus.org has address 127.0.0.11
              233.28.246.148.zen.spamhaus.org has address 127.0.0.4
              247.244.51.170.zen.spamhaus.org has address 127.0.0.11
              247.244.51.170.zen.spamhaus.org has address 127.0.0.4
              194.30.50.173.zen.spamhaus.org has address 127.0.0.4
              251.11.233.179.zen.spamhaus.org has address 127.0.0.4
              251.11.233.179.zen.spamhaus.org has address 127.0.0.11
              164.120.216.180.zen.spamhaus.org has address 127.0.0.11
              164.120.216.180.zen.spamhaus.org has address 127.0.0.4
              166.169.135.181.zen.spamhaus.org has address 127.0.0.11
              166.169.135.181.zen.spamhaus.org has address 127.0.0.4
              116.195.152.181.zen.spamhaus.org has address 127.0.0.4
              116.195.152.181.zen.spamhaus.org has address 127.0.0.11
              101.241.163.181.zen.spamhaus.org has address 127.0.0.4
              101.241.163.181.zen.spamhaus.org has address 127.0.0.11
              143.40.165.181.zen.spamhaus.org has address 127.0.0.11
              143.40.165.181.zen.spamhaus.org has address 127.0.0.4
              84.183.50.181.zen.spamhaus.org has address 127.0.0.4
              84.183.50.181.zen.spamhaus.org has address 127.0.0.11
              59.31.65.181.zen.spamhaus.org has address 127.0.0.4
              59.31.65.181.zen.spamhaus.org has address 127.0.0.11
              59.31.65.181.zen.spamhaus.org has address 127.0.0.11
              59.31.65.181.zen.spamhaus.org has address 127.0.0.4
              254.148.66.181.zen.spamhaus.org has address 127.0.0.4
              254.148.66.181.zen.spamhaus.org has address 127.0.0.11
              196.192.66.181.zen.spamhaus.org has address 127.0.0.4
              196.192.66.181.zen.spamhaus.org has address 127.0.0.11
              103.3.66.181.zen.spamhaus.org has address 127.0.0.11
              103.3.66.181.zen.spamhaus.org has address 127.0.0.4
              37.101.67.181.zen.spamhaus.org has address 127.0.0.4
              105.61.67.181.zen.spamhaus.org has address 127.0.0.4
              105.61.67.181.zen.spamhaus.org has address 127.0.0.11
              224.72.72.181.zen.spamhaus.org has address 127.0.0.11
              224.72.72.181.zen.spamhaus.org has address 127.0.0.4
              18.117.119.186.zen.spamhaus.org has address 127.0.0.4
              173.154.125.186.zen.spamhaus.org has address 127.0.0.4
              173.154.125.186.zen.spamhaus.org has address 127.0.0.11
              52.154.128.186.zen.spamhaus.org has address 127.0.0.4
              52.154.128.186.zen.spamhaus.org has address 127.0.0.11
              15.59.128.186.zen.spamhaus.org has address 127.0.0.4
              15.59.128.186.zen.spamhaus.org has address 127.0.0.11
              122.12.129.186.zen.spamhaus.org has address 127.0.0.11
              122.12.129.186.zen.spamhaus.org has address 127.0.0.4
              20.29.129.186.zen.spamhaus.org has address 127.0.0.4
              20.29.129.186.zen.spamhaus.org has address 127.0.0.11
              161.168.134.186.zen.spamhaus.org has address 127.0.0.11
              161.168.134.186.zen.spamhaus.org has address 127.0.0.4
              114.51.135.186.zen.spamhaus.org has address 127.0.0.4
              114.51.135.186.zen.spamhaus.org has address 127.0.0.11
              82.30.30.186.zen.spamhaus.org has address 127.0.0.11
              82.30.30.186.zen.spamhaus.org has address 127.0.0.4
              119.124.31.186.zen.spamhaus.org has address 127.0.0.4
              119.124.31.186.zen.spamhaus.org has address 127.0.0.11
              66.0.46.186.zen.spamhaus.org has address 127.0.0.4
              201.17.53.186.zen.spamhaus.org has address 127.0.0.4
              201.17.53.186.zen.spamhaus.org has address 127.0.0.11
              172.230.57.186.zen.spamhaus.org has address 127.0.0.4
              172.230.57.186.zen.spamhaus.org has address 127.0.0.11
              55.190.58.186.zen.spamhaus.org has address 127.0.0.4
              55.190.58.186.zen.spamhaus.org has address 127.0.0.11
              117.247.59.186.zen.spamhaus.org has address 127.0.0.11
              117.247.59.186.zen.spamhaus.org has address 127.0.0.4
              87.180.81.186.zen.spamhaus.org has address 127.0.0.11
              87.180.81.186.zen.spamhaus.org has address 127.0.0.4
              38.91.9.186.zen.spamhaus.org has address 127.0.0.4
              38.91.9.186.zen.spamhaus.org has address 127.0.0.11
              237.36.164.187.zen.spamhaus.org has address 127.0.0.4
              173.177.234.187.zen.spamhaus.org has address 127.0.0.11
              173.177.234.187.zen.spamhaus.org has address 127.0.0.4
              225.225.240.187.zen.spamhaus.org has address 127.0.0.4
              225.225.240.187.zen.spamhaus.org has address 127.0.0.11
              215.5.244.187.zen.spamhaus.org has address 127.0.0.4
              215.5.244.187.zen.spamhaus.org has address 127.0.0.11
              233.128.245.187.zen.spamhaus.org has address 127.0.0.4
              233.128.245.187.zen.spamhaus.org has address 127.0.0.11
              236.21.50.188.zen.spamhaus.org has address 127.0.0.11
              236.21.50.188.zen.spamhaus.org has address 127.0.0.4
              176.16.52.188.zen.spamhaus.org has address 127.0.0.11
              176.16.52.188.zen.spamhaus.org has address 127.0.0.4
              68.135.79.188.zen.spamhaus.org has address 127.0.0.4
              68.135.79.188.zen.spamhaus.org has address 127.0.0.11
              54.233.152.189.zen.spamhaus.org has address 127.0.0.4
              54.233.152.189.zen.spamhaus.org has address 127.0.0.11
              93.201.195.189.zen.spamhaus.org has address 127.0.0.11
              93.201.195.189.zen.spamhaus.org has address 127.0.0.4
              166.157.102.190.zen.spamhaus.org has address 127.0.0.4
              227.231.108.190.zen.spamhaus.org has address 127.0.0.4
              131.72.114.190.zen.spamhaus.org has address 127.0.0.11
              131.72.114.190.zen.spamhaus.org has address 127.0.0.4
              208.75.114.190.zen.spamhaus.org has address 127.0.0.4
              208.75.114.190.zen.spamhaus.org has address 127.0.0.11
              232.40.115.190.zen.spamhaus.org has address 127.0.0.4
              232.40.115.190.zen.spamhaus.org has address 127.0.0.11
              48.163.12.190.zen.spamhaus.org has address 127.0.0.4
              120.193.158.190.zen.spamhaus.org has address 127.0.0.11
              120.193.158.190.zen.spamhaus.org has address 127.0.0.4
              42.254.161.190.zen.spamhaus.org has address 127.0.0.11
              42.254.161.190.zen.spamhaus.org has address 127.0.0.4
              16.4.17.190.zen.spamhaus.org has address 127.0.0.4
              16.4.17.190.zen.spamhaus.org has address 127.0.0.11
              181.195.173.190.zen.spamhaus.org has address 127.0.0.4
              181.195.173.190.zen.spamhaus.org has address 127.0.0.11
              155.138.174.190.zen.spamhaus.org has address 127.0.0.11
              155.138.174.190.zen.spamhaus.org has address 127.0.0.4
              22.85.175.190.zen.spamhaus.org has address 127.0.0.4
              22.85.175.190.zen.spamhaus.org has address 127.0.0.11
              208.243.176.190.zen.spamhaus.org has address 127.0.0.4
              208.243.176.190.zen.spamhaus.org has address 127.0.0.11
              98.171.178.190.zen.spamhaus.org has address 127.0.0.4
              98.171.178.190.zen.spamhaus.org has address 127.0.0.11
              48.152.20.190.zen.spamhaus.org has address 127.0.0.11
              48.152.20.190.zen.spamhaus.org has address 127.0.0.4
              239.151.208.190.zen.spamhaus.org has address 127.0.0.4
              88.38.209.190.zen.spamhaus.org has address 127.0.0.11
              88.38.209.190.zen.spamhaus.org has address 127.0.0.4
              192.164.232.190.zen.spamhaus.org has address 127.0.0.4
              192.164.232.190.zen.spamhaus.org has address 127.0.0.11
              116.187.232.190.zen.spamhaus.org has address 127.0.0.4
              116.187.232.190.zen.spamhaus.org has address 127.0.0.11
              64.17.233.190.zen.spamhaus.org has address 127.0.0.11
              64.17.233.190.zen.spamhaus.org has address 127.0.0.4
              111.197.233.190.zen.spamhaus.org has address 127.0.0.4
              111.197.233.190.zen.spamhaus.org has address 127.0.0.11
              19.52.233.190.zen.spamhaus.org has address 127.0.0.11
              19.52.233.190.zen.spamhaus.org has address 127.0.0.4
              177.101.236.190.zen.spamhaus.org has address 127.0.0.11
              177.101.236.190.zen.spamhaus.org has address 127.0.0.4
              102.167.236.190.zen.spamhaus.org has address 127.0.0.11
              102.167.236.190.zen.spamhaus.org has address 127.0.0.4
              142.212.236.190.zen.spamhaus.org has address 127.0.0.4
              142.212.236.190.zen.spamhaus.org has address 127.0.0.11
              194.52.236.190.zen.spamhaus.org has address 127.0.0.4
              194.52.236.190.zen.spamhaus.org has address 127.0.0.11
              223.6.236.190.zen.spamhaus.org has address 127.0.0.4
              223.6.236.190.zen.spamhaus.org has address 127.0.0.11
              253.36.237.190.zen.spamhaus.org has address 127.0.0.4
              253.36.237.190.zen.spamhaus.org has address 127.0.0.11
              42.122.238.190.zen.spamhaus.org has address 127.0.0.4
              42.122.238.190.zen.spamhaus.org has address 127.0.0.11
              213.4.238.190.zen.spamhaus.org has address 127.0.0.11
              213.4.238.190.zen.spamhaus.org has address 127.0.0.4
              173.100.239.190.zen.spamhaus.org has address 127.0.0.4
              173.100.239.190.zen.spamhaus.org has address 127.0.0.11
              200.123.239.190.zen.spamhaus.org has address 127.0.0.11
              200.123.239.190.zen.spamhaus.org has address 127.0.0.4
              192.129.239.190.zen.spamhaus.org has address 127.0.0.11
              192.129.239.190.zen.spamhaus.org has address 127.0.0.4
              138.126.244.190.zen.spamhaus.org has address 127.0.0.4
              138.126.244.190.zen.spamhaus.org has address 127.0.0.11
              30.39.245.190.zen.spamhaus.org has address 127.0.0.11
              30.39.245.190.zen.spamhaus.org has address 127.0.0.4
              136.175.253.190.zen.spamhaus.org has address 127.0.0.4
              136.175.253.190.zen.spamhaus.org has address 127.0.0.11
              138.20.253.190.zen.spamhaus.org has address 127.0.0.4
              138.20.253.190.zen.spamhaus.org has address 127.0.0.11
              173.161.254.190.zen.spamhaus.org has address 127.0.0.11
              173.161.254.190.zen.spamhaus.org has address 127.0.0.4
              60.180.41.190.zen.spamhaus.org has address 127.0.0.4
              60.180.41.190.zen.spamhaus.org has address 127.0.0.11
              153.30.41.190.zen.spamhaus.org has address 127.0.0.4
              185.150.42.190.zen.spamhaus.org has address 127.0.0.11
              185.150.42.190.zen.spamhaus.org has address 127.0.0.4
              88.179.42.190.zen.spamhaus.org has address 127.0.0.11
              88.179.42.190.zen.spamhaus.org has address 127.0.0.4
              211.241.42.190.zen.spamhaus.org has address 127.0.0.4
              211.241.42.190.zen.spamhaus.org has address 127.0.0.11
              207.75.42.190.zen.spamhaus.org has address 127.0.0.4
              207.75.42.190.zen.spamhaus.org has address 127.0.0.11
              131.95.42.190.zen.spamhaus.org has address 127.0.0.11
              131.95.42.190.zen.spamhaus.org has address 127.0.0.4
              174.58.43.190.zen.spamhaus.org has address 127.0.0.11
              174.58.43.190.zen.spamhaus.org has address 127.0.0.4
              10.37.45.190.zen.spamhaus.org has address 127.0.0.11
              10.37.45.190.zen.spamhaus.org has address 127.0.0.4
              101.127.51.190.zen.spamhaus.org has address 127.0.0.4
              101.127.51.190.zen.spamhaus.org has address 127.0.0.11
              214.133.7.190.zen.spamhaus.org has address 127.0.0.4
              214.133.7.190.zen.spamhaus.org has address 127.0.0.11
              145.151.80.190.zen.spamhaus.org has address 127.0.0.10
              145.151.80.190.zen.spamhaus.org has address 127.0.0.4
              236.122.2.197.zen.spamhaus.org has address 127.0.0.11
              236.122.2.197.zen.spamhaus.org has address 127.0.0.4
              150.92.106.200.zen.spamhaus.org has address 127.0.0.4
              150.92.106.200.zen.spamhaus.org has address 127.0.0.11
              222.44.116.200.zen.spamhaus.org has address 127.0.0.4
              222.44.116.200.zen.spamhaus.org has address 127.0.0.10
              214.50.35.200.zen.spamhaus.org has address 127.0.0.4
              214.50.35.200.zen.spamhaus.org has address 127.0.0.11
              218.225.63.200.zen.spamhaus.org has address 127.0.0.11
              218.225.63.200.zen.spamhaus.org has address 127.0.0.4
              123.71.86.200.zen.spamhaus.org has address 127.0.0.11
              123.71.86.200.zen.spamhaus.org has address 127.0.0.4
              241.54.155.201.zen.spamhaus.org has address 127.0.0.4
              47.27.189.201.zen.spamhaus.org has address 127.0.0.4
              47.27.189.201.zen.spamhaus.org has address 127.0.0.11
              195.14.230.201.zen.spamhaus.org has address 127.0.0.11
              195.14.230.201.zen.spamhaus.org has address 127.0.0.4
              160.26.230.201.zen.spamhaus.org has address 127.0.0.4
              160.26.230.201.zen.spamhaus.org has address 127.0.0.11
              166.202.232.201.zen.spamhaus.org has address 127.0.0.4
              166.202.232.201.zen.spamhaus.org has address 127.0.0.10
              3.251.240.201.zen.spamhaus.org has address 127.0.0.4
              3.251.240.201.zen.spamhaus.org has address 127.0.0.11
              107.193.244.201.zen.spamhaus.org has address 127.0.0.10
              107.193.244.201.zen.spamhaus.org has address 127.0.0.4
              203.117.247.201.zen.spamhaus.org has address 127.0.0.4
              205.123.250.201.zen.spamhaus.org has address 127.0.0.4
              205.123.250.201.zen.spamhaus.org has address 127.0.0.11
              202.45.250.201.zen.spamhaus.org has address 127.0.0.11
              202.45.250.201.zen.spamhaus.org has address 127.0.0.4
              54.203.231.212.zen.spamhaus.org has address 127.0.0.4


              [4] $ grep 127.0.0.10 zenresult

              149.119.65.109.zen.spamhaus.org has address 127.0.0.10
              145.151.80.190.zen.spamhaus.org has address 127.0.0.10
              222.44.116.200.zen.spamhaus.org has address 127.0.0.10
              166.202.232.201.zen.spamhaus.org has address 127.0.0.10
              107.193.244.201.zen.spamhaus.org has address 127.0.0.10


              [5] $ grep 127.0.0.11 zenresult

              160.168.135.2.zen.spamhaus.org has address 127.0.0.11
              160.168.135.2.zen.spamhaus.org has address 127.0.0.11
              155.200.192.2.zen.spamhaus.org has address 127.0.0.11
              115.243.105.37.zen.spamhaus.org has address 127.0.0.11
              151.140.42.77.zen.spamhaus.org has address 127.0.0.11
              122.36.65.77.zen.spamhaus.org has address 127.0.0.11
              217.169.60.85.zen.spamhaus.org has address 127.0.0.11
              196.165.217.87.zen.spamhaus.org has address 127.0.0.11
              184.22.148.90.zen.spamhaus.org has address 127.0.0.11
              93.105.162.90.zen.spamhaus.org has address 127.0.0.11
              226.221.20.95.zen.spamhaus.org has address 127.0.0.11
              175.82.3.103.zen.spamhaus.org has address 127.0.0.11
              3.128.166.109.zen.spamhaus.org has address 127.0.0.11
              36.18.251.146.zen.spamhaus.org has address 127.0.0.11
              247.244.51.170.zen.spamhaus.org has address 127.0.0.11
              251.11.233.179.zen.spamhaus.org has address 127.0.0.11
              164.120.216.180.zen.spamhaus.org has address 127.0.0.11
              166.169.135.181.zen.spamhaus.org has address 127.0.0.11
              116.195.152.181.zen.spamhaus.org has address 127.0.0.11
              101.241.163.181.zen.spamhaus.org has address 127.0.0.11
              143.40.165.181.zen.spamhaus.org has address 127.0.0.11
              84.183.50.181.zen.spamhaus.org has address 127.0.0.11
              59.31.65.181.zen.spamhaus.org has address 127.0.0.11
              59.31.65.181.zen.spamhaus.org has address 127.0.0.11
              254.148.66.181.zen.spamhaus.org has address 127.0.0.11
              196.192.66.181.zen.spamhaus.org has address 127.0.0.11
              103.3.66.181.zen.spamhaus.org has address 127.0.0.11
              105.61.67.181.zen.spamhaus.org has address 127.0.0.11
              224.72.72.181.zen.spamhaus.org has address 127.0.0.11
              173.154.125.186.zen.spamhaus.org has address 127.0.0.11
              52.154.128.186.zen.spamhaus.org has address 127.0.0.11
              15.59.128.186.zen.spamhaus.org has address 127.0.0.11
              122.12.129.186.zen.spamhaus.org has address 127.0.0.11
              20.29.129.186.zen.spamhaus.org has address 127.0.0.11
              161.168.134.186.zen.spamhaus.org has address 127.0.0.11
              114.51.135.186.zen.spamhaus.org has address 127.0.0.11
              82.30.30.186.zen.spamhaus.org has address 127.0.0.11
              119.124.31.186.zen.spamhaus.org has address 127.0.0.11
              201.17.53.186.zen.spamhaus.org has address 127.0.0.11
              172.230.57.186.zen.spamhaus.org has address 127.0.0.11
              55.190.58.186.zen.spamhaus.org has address 127.0.0.11
              117.247.59.186.zen.spamhaus.org has address 127.0.0.11
              87.180.81.186.zen.spamhaus.org has address 127.0.0.11
              38.91.9.186.zen.spamhaus.org has address 127.0.0.11
              173.177.234.187.zen.spamhaus.org has address 127.0.0.11
              225.225.240.187.zen.spamhaus.org has address 127.0.0.11
              215.5.244.187.zen.spamhaus.org has address 127.0.0.11
              233.128.245.187.zen.spamhaus.org has address 127.0.0.11
              236.21.50.188.zen.spamhaus.org has address 127.0.0.11
              176.16.52.188.zen.spamhaus.org has address 127.0.0.11
              68.135.79.188.zen.spamhaus.org has address 127.0.0.11
              54.233.152.189.zen.spamhaus.org has address 127.0.0.11
              93.201.195.189.zen.spamhaus.org has address 127.0.0.11
              131.72.114.190.zen.spamhaus.org has address 127.0.0.11
              208.75.114.190.zen.spamhaus.org has address 127.0.0.11
              232.40.115.190.zen.spamhaus.org has address 127.0.0.11
              120.193.158.190.zen.spamhaus.org has address 127.0.0.11
              42.254.161.190.zen.spamhaus.org has address 127.0.0.11
              16.4.17.190.zen.spamhaus.org has address 127.0.0.11
              181.195.173.190.zen.spamhaus.org has address 127.0.0.11
              155.138.174.190.zen.spamhaus.org has address 127.0.0.11
              22.85.175.190.zen.spamhaus.org has address 127.0.0.11
              208.243.176.190.zen.spamhaus.org has address 127.0.0.11
              98.171.178.190.zen.spamhaus.org has address 127.0.0.11
              48.152.20.190.zen.spamhaus.org has address 127.0.0.11
              88.38.209.190.zen.spamhaus.org has address 127.0.0.11
              192.164.232.190.zen.spamhaus.org has address 127.0.0.11
              116.187.232.190.zen.spamhaus.org has address 127.0.0.11
              64.17.233.190.zen.spamhaus.org has address 127.0.0.11
              111.197.233.190.zen.spamhaus.org has address 127.0.0.11
              19.52.233.190.zen.spamhaus.org has address 127.0.0.11
              177.101.236.190.zen.spamhaus.org has address 127.0.0.11
              102.167.236.190.zen.spamhaus.org has address 127.0.0.11
              142.212.236.190.zen.spamhaus.org has address 127.0.0.11
              194.52.236.190.zen.spamhaus.org has address 127.0.0.11
              223.6.236.190.zen.spamhaus.org has address 127.0.0.11
              253.36.237.190.zen.spamhaus.org has address 127.0.0.11
              42.122.238.190.zen.spamhaus.org has address 127.0.0.11
              213.4.238.190.zen.spamhaus.org has address 127.0.0.11
              173.100.239.190.zen.spamhaus.org has address 127.0.0.11
              200.123.239.190.zen.spamhaus.org has address 127.0.0.11
              192.129.239.190.zen.spamhaus.org has address 127.0.0.11
              138.126.244.190.zen.spamhaus.org has address 127.0.0.11
              30.39.245.190.zen.spamhaus.org has address 127.0.0.11
              136.175.253.190.zen.spamhaus.org has address 127.0.0.11
              138.20.253.190.zen.spamhaus.org has address 127.0.0.11
              173.161.254.190.zen.spamhaus.org has address 127.0.0.11
              60.180.41.190.zen.spamhaus.org has address 127.0.0.11
              185.150.42.190.zen.spamhaus.org has address 127.0.0.11
              88.179.42.190.zen.spamhaus.org has address 127.0.0.11
              211.241.42.190.zen.spamhaus.org has address 127.0.0.11
              207.75.42.190.zen.spamhaus.org has address 127.0.0.11
              131.95.42.190.zen.spamhaus.org has address 127.0.0.11
              174.58.43.190.zen.spamhaus.org has address 127.0.0.11
              10.37.45.190.zen.spamhaus.org has address 127.0.0.11
              101.127.51.190.zen.spamhaus.org has address 127.0.0.11
              214.133.7.190.zen.spamhaus.org has address 127.0.0.11
              236.122.2.197.zen.spamhaus.org has address 127.0.0.11
              150.92.106.200.zen.spamhaus.org has address 127.0.0.11
              214.50.35.200.zen.spamhaus.org has address 127.0.0.11
              218.225.63.200.zen.spamhaus.org has address 127.0.0.11
              123.71.86.200.zen.spamhaus.org has address 127.0.0.11
              47.27.189.201.zen.spamhaus.org has address 127.0.0.11
              195.14.230.201.zen.spamhaus.org has address 127.0.0.11
              160.26.230.201.zen.spamhaus.org has address 127.0.0.11
              3.251.240.201.zen.spamhaus.org has address 127.0.0.11
              205.123.250.201.zen.spamhaus.org has address 127.0.0.11
              202.45.250.201.zen.spamhaus.org has address 127.0.0.11
            Your message has been successfully submitted and would be delivered to recipients shortly.