Loading ...
Sorry, an error occurred while loading the content.

Re: how to stop massive email attack in Postfix

Expand Messages
  • Bastian Blank
    On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote: First, get a name. ... Show logs and the config, see http://www.postfix.org/DEBUG_README.html#mail. If
    Message 1 of 9 , Jun 15, 2013
    • 0 Attachment
      On Fri, Jun 14, 2013 at 03:44:23PM +0000, c cc wrote:

      First, get a name.

      > For the last few days, I noticed that our postfix server had crawl to a
      > halt due to some kind of email attack.

      Show logs and the config, see
      http://www.postfix.org/DEBUG_README.html#mail. If you configure Postfix
      to allow 100 concurent connections, it will gladly do so. If your system
      can't handle this load, lower that count.

      Bastian

      --
      Sometimes a feeling is all we humans have to go on.
      -- Kirk, "A Taste of Armageddon", stardate 3193.9
    • Stan Hoeppner
      ... Quite right, it is a botnet attack. And without further logging, I d guess this is a DOS attack on TCP 25. The clients are probably not even attempting
      Message 2 of 9 , Jun 16, 2013
      • 0 Attachment
        On 6/14/2013 11:19 AM, Viktor Dukhovni wrote:
        > On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote:
        >
        >> On 14 June 2013 17:44, c cc <subads@...> wrote:
        >>>
        >>> Hi,
        >>>
        >>> For the last few days, I noticed that our postfix server had crawl to a halt
        >>> due to some kind of email attack. As you can see below, there were a lot of
        >>> smtp connections. I was wondering if there is a way to stop this from
        >>> Postfix? Thanks!
        >>>
        >>> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
        >>> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
        >>> 17329/smtpd
        >>> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
        >>> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
        >>> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
        >>
        >> Presumably they are connecting more than once? Fail2ban?
        >
        > Looks more like a botnet, so the connections may not in fact recur.

        Quite right, it is a botnet attack. And without further logging, I'd
        guess this is a DOS attack on TCP 25. The clients are probably not even
        attempting delivery, but simply tying up TCP sockets.

        > I would consider disabling reverse DNS resolution under stress.
        > Anything that reduces latency in the SMTP server. Also make sure
        > recipient lookups are fast (SAV and RAV may lead to concurrency
        > spikes, try to have static sources of recipient information).
        >
        > Also raise the number of smtpd(8) processes. The postscreen(8)
        > feature may help, but this is best with Postfix 2.10.0 or so.

        This is a scenario purpose built for postscreen, is it not? In lieu of
        postscreen, and in addition to Viktor's other suggestions, two simple
        restrictions may have greatly reduced the impact of this attack:

        1. reject_unknown_reverse_client_hostname
        2. http://www.hardwarefreak.com/fqrdns.pcre

        fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
        contains many of them. I'll be adding the others in the near future.

        --
        Stan
      • Viktor Dukhovni
        ... It could be a dictionary attack, or receiver-side DNS latency, or greet pauses in the SMTP server, or delays due to sender or recipient verification
        Message 3 of 9 , Jun 16, 2013
        • 0 Attachment
          On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:

          > > Looks more like a botnet, so the connections may not in fact recur.
          >
          > Quite right, it is a botnet attack. And without further logging, I'd
          > guess this is a DOS attack on TCP 25. The clients are probably not even
          > attempting delivery, but simply tying up TCP sockets.

          It could be a dictionary attack, or receiver-side DNS latency, or
          greet pauses in the SMTP server, or delays due to sender or recipient
          verification probes, or insufficient smtpd(8) concurrency to deal
          with reasonable peak loads.

          > This is a scenario purpose built for postscreen, is it not? In lieu of
          > postscreen, and in addition to Viktor's other suggestions, two simple
          > restrictions may have greatly reduced the impact of this attack:

          Yes, postscreen.

          > 1. reject_unknown_reverse_client_hostname
          > 2. http://www.hardwarefreak.com/fqrdns.pcre
          >
          > fqrdns.pcre is missing some of the rDNS patterns of those IPs, but
          > contains many of them. I'll be adding the others in the near future.

          Carefully selected augmentation of the PBL may well be effective.
          I also hope Stan or someone else reputable can from time to time
          nominate particurly bot-active CIDR blocks consisting exclusively
          of consumer-grade DHCP addresses for the PBL (send an email to a
          contact at SpamHaus).

          --
          Viktor.
        • Stan Hoeppner
          ... It s a bit of a pity the OP didn t follow up and participate. Some interesting statistics surrounding this apparent botnet attack. I say apparent now
          Message 4 of 9 , Jun 17, 2013
          • 0 Attachment
            On 6/16/2013 12:59 PM, Viktor Dukhovni wrote:
            > On Sun, Jun 16, 2013 at 07:55:28AM -0500, Stan Hoeppner wrote:
            >
            >>> Looks more like a botnet, so the connections may not in fact recur.
            >>
            >> Quite right, it is a botnet attack. And without further logging, I'd
            >> guess this is a DOS attack on TCP 25. The clients are probably not even
            >> attempting delivery, but simply tying up TCP sockets.
            >
            > It could be a dictionary attack, or receiver-side DNS latency, or
            > greet pauses in the SMTP server, or delays due to sender or recipient
            > verification probes, or insufficient smtpd(8) concurrency to deal
            > with reasonable peak loads.

            It's a bit of a pity the OP didn't follow up and participate. Some
            interesting statistics surrounding this apparent botnet attack. I say
            "apparent" now because I'm beginning to think this may not have been the
            case at all. Of the 128 IPs he listed from netstat:

            54 return NXDOMAIN [1]
            50 would have been REJECTED by fqrdns.pcre [2]
            128 listed by Zen with 127.0.0.4 (CBL) [3]
            5 listed by Zen with 127.0.0.10 (PBL) [4]
            108 listed by Zen with 127.0.0.11 (PBL) [5]

            reject_unknown_reverse_client_hostname would have rejected 54/128, 42%.
            That plus fqrdns.pcre, 104/128, 81%. These alone would have stemmed
            the tide. Now, assuming not all of these had yet hit the CBL, if the OP
            had been using Zen he'd have still rejected at least 113/128 of these
            because they were already listed in the PBL at the time of the event.
            It almost seems as if this Postfix simply had no A/S countermeasures
            configured at all. Either that or SA was installed assuming it would
            "just do it" by itself. Maybe one of those insane govt/corp policies
            that requires all spam to be archived? We can only guess without
            further input from the OP.

            ...
            > Carefully selected augmentation of the PBL may well be effective.
            > I also hope Stan or someone else reputable can from time to time
            > nominate particurly bot-active CIDR blocks consisting exclusively
            > of consumer-grade DHCP addresses for the PBL (send an email to a
            > contact at SpamHaus).

            As noted, the PBL already contains 113 of the IPs, and the CBL had all
            128 either before and/or after this event, most likely before. 113 were
            dual listed in both the PBL and CBL. This tends to suggest the PBL
            listings are relatively old. The host in question apparently wasn't
            configured to use Zen.

            I have recommended netblocks for inclusion in the PBL in the past.
            These are taken under advisement. Note that the trap network feeding
            the CBL is vast, global, on the order of 1 million+ addresses across
            10K+ domains in just about every country with IP transit. Thus Spamhaus
            have a much better view of where bots are emitting than me or just about
            anyone. AIUI, after some $_threshold, if a netblock has constant bot
            activity, and the provider hasn't voluntarily listed it, Spamhaus will.
            That's the difference between 127.0.0.11 (Spamhaus maintained) and
            127.0.0.10 (ISP maintained).

            Of these 128 Spamhaus listed 108 of them, while ISPs only voluntarily
            listed 5. This is characteristic of South/Central America, and some
            other parts of the world. My perception is that in North America,
            Europe, and the English Commonwealth countries there's typically much
            larger PBL buy-in among ISPs, less so in other parts of the World. Note
            these are my perceptions based on word of mouth, personal connections,
            etc. I do not work for Spamhaus, nor do I speak on behalf of Spamhaus.

            --
            Stan



            [1] $ grep -i nxdomain hostrdns.txt

            Host 155.200.192.2.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 115.243.105.37.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 151.140.42.77.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 250.208.175.83.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 93.105.162.90.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 175.82.3.103.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 3.128.166.109.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 36.18.251.146.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 116.195.152.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 59.31.65.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 254.148.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 196.192.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 103.3.66.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 37.101.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 105.61.67.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 224.72.72.181.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 18.117.119.186.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 66.0.46.186.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 236.21.50.188.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 176.16.52.188.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 166.157.102.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 88.38.209.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 192.164.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 116.187.232.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 64.17.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 111.197.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 19.52.233.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 177.101.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 102.167.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 142.212.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 194.52.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 223.6.236.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 253.36.237.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 42.122.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 213.4.238.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 173.100.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 200.123.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 192.129.239.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 136.175.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 138.20.253.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 173.161.254.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 60.180.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 153.30.41.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 185.150.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 88.179.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 211.241.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 207.75.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 131.95.42.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 174.58.43.190.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 236.122.2.197.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 214.50.35.200.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 203.117.247.201.in-addr.arpa. not found: 3(NXDOMAIN)
            Host 54.203.231.212.in-addr.arpa. not found: 3(NXDOMAIN)


            [2] $ while read i; do postmap -q $i pcre:/etc/postfix/fqrdns.pcre;
            done < rdns|grep REJECT

            REJECT Generic - Please relay via ISP (icpnet.pl)
            REJECT Dynamic - Please relay via ISP (orange.es)
            REJECT Dynamic - Please relay via ISP (jazztel.es)
            REJECT Dynamic - Please relay via ISP (saudi.net.sa)
            REJECT Dynamic - Please relay via ISP (jazztel.es)
            REJECT Generic - Please relay via ISP (bezeqint.net)
            REJECT Generic - Please relay via ISP (telmex.net.ar)
            REJECT Generic - Please relay via ISP (virtua.com.br)
            REJECT Generic - Please relay via ISP (fibertel.com.ar)
            REJECT Dynamic - Please relay via ISP (cable.net.co)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Dynamic - Please relay via ISP (etb.net.co)
            REJECT Dynamic - Please relay via ISP (etb.net.co)
            REJECT Dynamic - Please relay via ISP (anteldata.net.uy)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Dynamic - Please relay via ISP (cable.net.co)
            REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
            REJECT Dynamic - Please relay via ISP (jazztel.es)
            REJECT Dynamic - Please relay via ISP (prod-infinitum.com.mx)
            REJECT Dynamic - Please relay via ISP (cable.net.co)
            REJECT Generic - Please relay via ISP (vtr.net)
            REJECT Generic - Please relay via ISP (fibertel.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (fibertel.com.ar)
            REJECT Generic - Please relay via ISP (fibertel.com.ar)
            REJECT Generic - Please relay via ISP (vtr.net)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (codetel.net.do)
            REJECT Generic - Please relay via ISP (speedy.net.pe)
            REJECT Generic - Please relay via ISP (epm.net.co)
            REJECT Generic - Please relay via ISP (satnet.net)
            REJECT Generic - Please relay via ISP (vtr.net)
            REJECT Generic - Please relay via ISP (speedy.net.pe)
            REJECT Generic - Please relay via ISP (speedy.net.pe)
            REJECT Generic - Please relay via ISP (epm.net.co)
            REJECT Generic - Please relay via ISP (speedy.net.pe)
            REJECT Dynamic - Please relay via ISP (etb.net.co)
            REJECT Generic - Please relay via ISP (speedy.com.ar)
            REJECT Generic - Please relay via ISP (speedy.com.ar)


            [3] $ cat zenresult

            160.168.135.2.zen.spamhaus.org has address 127.0.0.11
            160.168.135.2.zen.spamhaus.org has address 127.0.0.4
            160.168.135.2.zen.spamhaus.org has address 127.0.0.11
            160.168.135.2.zen.spamhaus.org has address 127.0.0.4
            155.200.192.2.zen.spamhaus.org has address 127.0.0.11
            155.200.192.2.zen.spamhaus.org has address 127.0.0.4
            115.243.105.37.zen.spamhaus.org has address 127.0.0.4
            115.243.105.37.zen.spamhaus.org has address 127.0.0.11
            151.140.42.77.zen.spamhaus.org has address 127.0.0.11
            151.140.42.77.zen.spamhaus.org has address 127.0.0.4
            122.36.65.77.zen.spamhaus.org has address 127.0.0.4
            122.36.65.77.zen.spamhaus.org has address 127.0.0.11
            250.208.175.83.zen.spamhaus.org has address 127.0.0.4
            217.169.60.85.zen.spamhaus.org has address 127.0.0.11
            217.169.60.85.zen.spamhaus.org has address 127.0.0.4
            196.165.217.87.zen.spamhaus.org has address 127.0.0.11
            196.165.217.87.zen.spamhaus.org has address 127.0.0.4
            184.22.148.90.zen.spamhaus.org has address 127.0.0.4
            184.22.148.90.zen.spamhaus.org has address 127.0.0.11
            93.105.162.90.zen.spamhaus.org has address 127.0.0.11
            93.105.162.90.zen.spamhaus.org has address 127.0.0.4
            226.221.20.95.zen.spamhaus.org has address 127.0.0.4
            226.221.20.95.zen.spamhaus.org has address 127.0.0.11
            175.82.3.103.zen.spamhaus.org has address 127.0.0.11
            175.82.3.103.zen.spamhaus.org has address 127.0.0.4
            3.128.166.109.zen.spamhaus.org has address 127.0.0.4
            3.128.166.109.zen.spamhaus.org has address 127.0.0.11
            149.119.65.109.zen.spamhaus.org has address 127.0.0.4
            149.119.65.109.zen.spamhaus.org has address 127.0.0.10
            36.18.251.146.zen.spamhaus.org has address 127.0.0.4
            36.18.251.146.zen.spamhaus.org has address 127.0.0.11
            233.28.246.148.zen.spamhaus.org has address 127.0.0.4
            247.244.51.170.zen.spamhaus.org has address 127.0.0.11
            247.244.51.170.zen.spamhaus.org has address 127.0.0.4
            194.30.50.173.zen.spamhaus.org has address 127.0.0.4
            251.11.233.179.zen.spamhaus.org has address 127.0.0.4
            251.11.233.179.zen.spamhaus.org has address 127.0.0.11
            164.120.216.180.zen.spamhaus.org has address 127.0.0.11
            164.120.216.180.zen.spamhaus.org has address 127.0.0.4
            166.169.135.181.zen.spamhaus.org has address 127.0.0.11
            166.169.135.181.zen.spamhaus.org has address 127.0.0.4
            116.195.152.181.zen.spamhaus.org has address 127.0.0.4
            116.195.152.181.zen.spamhaus.org has address 127.0.0.11
            101.241.163.181.zen.spamhaus.org has address 127.0.0.4
            101.241.163.181.zen.spamhaus.org has address 127.0.0.11
            143.40.165.181.zen.spamhaus.org has address 127.0.0.11
            143.40.165.181.zen.spamhaus.org has address 127.0.0.4
            84.183.50.181.zen.spamhaus.org has address 127.0.0.4
            84.183.50.181.zen.spamhaus.org has address 127.0.0.11
            59.31.65.181.zen.spamhaus.org has address 127.0.0.4
            59.31.65.181.zen.spamhaus.org has address 127.0.0.11
            59.31.65.181.zen.spamhaus.org has address 127.0.0.11
            59.31.65.181.zen.spamhaus.org has address 127.0.0.4
            254.148.66.181.zen.spamhaus.org has address 127.0.0.4
            254.148.66.181.zen.spamhaus.org has address 127.0.0.11
            196.192.66.181.zen.spamhaus.org has address 127.0.0.4
            196.192.66.181.zen.spamhaus.org has address 127.0.0.11
            103.3.66.181.zen.spamhaus.org has address 127.0.0.11
            103.3.66.181.zen.spamhaus.org has address 127.0.0.4
            37.101.67.181.zen.spamhaus.org has address 127.0.0.4
            105.61.67.181.zen.spamhaus.org has address 127.0.0.4
            105.61.67.181.zen.spamhaus.org has address 127.0.0.11
            224.72.72.181.zen.spamhaus.org has address 127.0.0.11
            224.72.72.181.zen.spamhaus.org has address 127.0.0.4
            18.117.119.186.zen.spamhaus.org has address 127.0.0.4
            173.154.125.186.zen.spamhaus.org has address 127.0.0.4
            173.154.125.186.zen.spamhaus.org has address 127.0.0.11
            52.154.128.186.zen.spamhaus.org has address 127.0.0.4
            52.154.128.186.zen.spamhaus.org has address 127.0.0.11
            15.59.128.186.zen.spamhaus.org has address 127.0.0.4
            15.59.128.186.zen.spamhaus.org has address 127.0.0.11
            122.12.129.186.zen.spamhaus.org has address 127.0.0.11
            122.12.129.186.zen.spamhaus.org has address 127.0.0.4
            20.29.129.186.zen.spamhaus.org has address 127.0.0.4
            20.29.129.186.zen.spamhaus.org has address 127.0.0.11
            161.168.134.186.zen.spamhaus.org has address 127.0.0.11
            161.168.134.186.zen.spamhaus.org has address 127.0.0.4
            114.51.135.186.zen.spamhaus.org has address 127.0.0.4
            114.51.135.186.zen.spamhaus.org has address 127.0.0.11
            82.30.30.186.zen.spamhaus.org has address 127.0.0.11
            82.30.30.186.zen.spamhaus.org has address 127.0.0.4
            119.124.31.186.zen.spamhaus.org has address 127.0.0.4
            119.124.31.186.zen.spamhaus.org has address 127.0.0.11
            66.0.46.186.zen.spamhaus.org has address 127.0.0.4
            201.17.53.186.zen.spamhaus.org has address 127.0.0.4
            201.17.53.186.zen.spamhaus.org has address 127.0.0.11
            172.230.57.186.zen.spamhaus.org has address 127.0.0.4
            172.230.57.186.zen.spamhaus.org has address 127.0.0.11
            55.190.58.186.zen.spamhaus.org has address 127.0.0.4
            55.190.58.186.zen.spamhaus.org has address 127.0.0.11
            117.247.59.186.zen.spamhaus.org has address 127.0.0.11
            117.247.59.186.zen.spamhaus.org has address 127.0.0.4
            87.180.81.186.zen.spamhaus.org has address 127.0.0.11
            87.180.81.186.zen.spamhaus.org has address 127.0.0.4
            38.91.9.186.zen.spamhaus.org has address 127.0.0.4
            38.91.9.186.zen.spamhaus.org has address 127.0.0.11
            237.36.164.187.zen.spamhaus.org has address 127.0.0.4
            173.177.234.187.zen.spamhaus.org has address 127.0.0.11
            173.177.234.187.zen.spamhaus.org has address 127.0.0.4
            225.225.240.187.zen.spamhaus.org has address 127.0.0.4
            225.225.240.187.zen.spamhaus.org has address 127.0.0.11
            215.5.244.187.zen.spamhaus.org has address 127.0.0.4
            215.5.244.187.zen.spamhaus.org has address 127.0.0.11
            233.128.245.187.zen.spamhaus.org has address 127.0.0.4
            233.128.245.187.zen.spamhaus.org has address 127.0.0.11
            236.21.50.188.zen.spamhaus.org has address 127.0.0.11
            236.21.50.188.zen.spamhaus.org has address 127.0.0.4
            176.16.52.188.zen.spamhaus.org has address 127.0.0.11
            176.16.52.188.zen.spamhaus.org has address 127.0.0.4
            68.135.79.188.zen.spamhaus.org has address 127.0.0.4
            68.135.79.188.zen.spamhaus.org has address 127.0.0.11
            54.233.152.189.zen.spamhaus.org has address 127.0.0.4
            54.233.152.189.zen.spamhaus.org has address 127.0.0.11
            93.201.195.189.zen.spamhaus.org has address 127.0.0.11
            93.201.195.189.zen.spamhaus.org has address 127.0.0.4
            166.157.102.190.zen.spamhaus.org has address 127.0.0.4
            227.231.108.190.zen.spamhaus.org has address 127.0.0.4
            131.72.114.190.zen.spamhaus.org has address 127.0.0.11
            131.72.114.190.zen.spamhaus.org has address 127.0.0.4
            208.75.114.190.zen.spamhaus.org has address 127.0.0.4
            208.75.114.190.zen.spamhaus.org has address 127.0.0.11
            232.40.115.190.zen.spamhaus.org has address 127.0.0.4
            232.40.115.190.zen.spamhaus.org has address 127.0.0.11
            48.163.12.190.zen.spamhaus.org has address 127.0.0.4
            120.193.158.190.zen.spamhaus.org has address 127.0.0.11
            120.193.158.190.zen.spamhaus.org has address 127.0.0.4
            42.254.161.190.zen.spamhaus.org has address 127.0.0.11
            42.254.161.190.zen.spamhaus.org has address 127.0.0.4
            16.4.17.190.zen.spamhaus.org has address 127.0.0.4
            16.4.17.190.zen.spamhaus.org has address 127.0.0.11
            181.195.173.190.zen.spamhaus.org has address 127.0.0.4
            181.195.173.190.zen.spamhaus.org has address 127.0.0.11
            155.138.174.190.zen.spamhaus.org has address 127.0.0.11
            155.138.174.190.zen.spamhaus.org has address 127.0.0.4
            22.85.175.190.zen.spamhaus.org has address 127.0.0.4
            22.85.175.190.zen.spamhaus.org has address 127.0.0.11
            208.243.176.190.zen.spamhaus.org has address 127.0.0.4
            208.243.176.190.zen.spamhaus.org has address 127.0.0.11
            98.171.178.190.zen.spamhaus.org has address 127.0.0.4
            98.171.178.190.zen.spamhaus.org has address 127.0.0.11
            48.152.20.190.zen.spamhaus.org has address 127.0.0.11
            48.152.20.190.zen.spamhaus.org has address 127.0.0.4
            239.151.208.190.zen.spamhaus.org has address 127.0.0.4
            88.38.209.190.zen.spamhaus.org has address 127.0.0.11
            88.38.209.190.zen.spamhaus.org has address 127.0.0.4
            192.164.232.190.zen.spamhaus.org has address 127.0.0.4
            192.164.232.190.zen.spamhaus.org has address 127.0.0.11
            116.187.232.190.zen.spamhaus.org has address 127.0.0.4
            116.187.232.190.zen.spamhaus.org has address 127.0.0.11
            64.17.233.190.zen.spamhaus.org has address 127.0.0.11
            64.17.233.190.zen.spamhaus.org has address 127.0.0.4
            111.197.233.190.zen.spamhaus.org has address 127.0.0.4
            111.197.233.190.zen.spamhaus.org has address 127.0.0.11
            19.52.233.190.zen.spamhaus.org has address 127.0.0.11
            19.52.233.190.zen.spamhaus.org has address 127.0.0.4
            177.101.236.190.zen.spamhaus.org has address 127.0.0.11
            177.101.236.190.zen.spamhaus.org has address 127.0.0.4
            102.167.236.190.zen.spamhaus.org has address 127.0.0.11
            102.167.236.190.zen.spamhaus.org has address 127.0.0.4
            142.212.236.190.zen.spamhaus.org has address 127.0.0.4
            142.212.236.190.zen.spamhaus.org has address 127.0.0.11
            194.52.236.190.zen.spamhaus.org has address 127.0.0.4
            194.52.236.190.zen.spamhaus.org has address 127.0.0.11
            223.6.236.190.zen.spamhaus.org has address 127.0.0.4
            223.6.236.190.zen.spamhaus.org has address 127.0.0.11
            253.36.237.190.zen.spamhaus.org has address 127.0.0.4
            253.36.237.190.zen.spamhaus.org has address 127.0.0.11
            42.122.238.190.zen.spamhaus.org has address 127.0.0.4
            42.122.238.190.zen.spamhaus.org has address 127.0.0.11
            213.4.238.190.zen.spamhaus.org has address 127.0.0.11
            213.4.238.190.zen.spamhaus.org has address 127.0.0.4
            173.100.239.190.zen.spamhaus.org has address 127.0.0.4
            173.100.239.190.zen.spamhaus.org has address 127.0.0.11
            200.123.239.190.zen.spamhaus.org has address 127.0.0.11
            200.123.239.190.zen.spamhaus.org has address 127.0.0.4
            192.129.239.190.zen.spamhaus.org has address 127.0.0.11
            192.129.239.190.zen.spamhaus.org has address 127.0.0.4
            138.126.244.190.zen.spamhaus.org has address 127.0.0.4
            138.126.244.190.zen.spamhaus.org has address 127.0.0.11
            30.39.245.190.zen.spamhaus.org has address 127.0.0.11
            30.39.245.190.zen.spamhaus.org has address 127.0.0.4
            136.175.253.190.zen.spamhaus.org has address 127.0.0.4
            136.175.253.190.zen.spamhaus.org has address 127.0.0.11
            138.20.253.190.zen.spamhaus.org has address 127.0.0.4
            138.20.253.190.zen.spamhaus.org has address 127.0.0.11
            173.161.254.190.zen.spamhaus.org has address 127.0.0.11
            173.161.254.190.zen.spamhaus.org has address 127.0.0.4
            60.180.41.190.zen.spamhaus.org has address 127.0.0.4
            60.180.41.190.zen.spamhaus.org has address 127.0.0.11
            153.30.41.190.zen.spamhaus.org has address 127.0.0.4
            185.150.42.190.zen.spamhaus.org has address 127.0.0.11
            185.150.42.190.zen.spamhaus.org has address 127.0.0.4
            88.179.42.190.zen.spamhaus.org has address 127.0.0.11
            88.179.42.190.zen.spamhaus.org has address 127.0.0.4
            211.241.42.190.zen.spamhaus.org has address 127.0.0.4
            211.241.42.190.zen.spamhaus.org has address 127.0.0.11
            207.75.42.190.zen.spamhaus.org has address 127.0.0.4
            207.75.42.190.zen.spamhaus.org has address 127.0.0.11
            131.95.42.190.zen.spamhaus.org has address 127.0.0.11
            131.95.42.190.zen.spamhaus.org has address 127.0.0.4
            174.58.43.190.zen.spamhaus.org has address 127.0.0.11
            174.58.43.190.zen.spamhaus.org has address 127.0.0.4
            10.37.45.190.zen.spamhaus.org has address 127.0.0.11
            10.37.45.190.zen.spamhaus.org has address 127.0.0.4
            101.127.51.190.zen.spamhaus.org has address 127.0.0.4
            101.127.51.190.zen.spamhaus.org has address 127.0.0.11
            214.133.7.190.zen.spamhaus.org has address 127.0.0.4
            214.133.7.190.zen.spamhaus.org has address 127.0.0.11
            145.151.80.190.zen.spamhaus.org has address 127.0.0.10
            145.151.80.190.zen.spamhaus.org has address 127.0.0.4
            236.122.2.197.zen.spamhaus.org has address 127.0.0.11
            236.122.2.197.zen.spamhaus.org has address 127.0.0.4
            150.92.106.200.zen.spamhaus.org has address 127.0.0.4
            150.92.106.200.zen.spamhaus.org has address 127.0.0.11
            222.44.116.200.zen.spamhaus.org has address 127.0.0.4
            222.44.116.200.zen.spamhaus.org has address 127.0.0.10
            214.50.35.200.zen.spamhaus.org has address 127.0.0.4
            214.50.35.200.zen.spamhaus.org has address 127.0.0.11
            218.225.63.200.zen.spamhaus.org has address 127.0.0.11
            218.225.63.200.zen.spamhaus.org has address 127.0.0.4
            123.71.86.200.zen.spamhaus.org has address 127.0.0.11
            123.71.86.200.zen.spamhaus.org has address 127.0.0.4
            241.54.155.201.zen.spamhaus.org has address 127.0.0.4
            47.27.189.201.zen.spamhaus.org has address 127.0.0.4
            47.27.189.201.zen.spamhaus.org has address 127.0.0.11
            195.14.230.201.zen.spamhaus.org has address 127.0.0.11
            195.14.230.201.zen.spamhaus.org has address 127.0.0.4
            160.26.230.201.zen.spamhaus.org has address 127.0.0.4
            160.26.230.201.zen.spamhaus.org has address 127.0.0.11
            166.202.232.201.zen.spamhaus.org has address 127.0.0.4
            166.202.232.201.zen.spamhaus.org has address 127.0.0.10
            3.251.240.201.zen.spamhaus.org has address 127.0.0.4
            3.251.240.201.zen.spamhaus.org has address 127.0.0.11
            107.193.244.201.zen.spamhaus.org has address 127.0.0.10
            107.193.244.201.zen.spamhaus.org has address 127.0.0.4
            203.117.247.201.zen.spamhaus.org has address 127.0.0.4
            205.123.250.201.zen.spamhaus.org has address 127.0.0.4
            205.123.250.201.zen.spamhaus.org has address 127.0.0.11
            202.45.250.201.zen.spamhaus.org has address 127.0.0.11
            202.45.250.201.zen.spamhaus.org has address 127.0.0.4
            54.203.231.212.zen.spamhaus.org has address 127.0.0.4


            [4] $ grep 127.0.0.10 zenresult

            149.119.65.109.zen.spamhaus.org has address 127.0.0.10
            145.151.80.190.zen.spamhaus.org has address 127.0.0.10
            222.44.116.200.zen.spamhaus.org has address 127.0.0.10
            166.202.232.201.zen.spamhaus.org has address 127.0.0.10
            107.193.244.201.zen.spamhaus.org has address 127.0.0.10


            [5] $ grep 127.0.0.11 zenresult

            160.168.135.2.zen.spamhaus.org has address 127.0.0.11
            160.168.135.2.zen.spamhaus.org has address 127.0.0.11
            155.200.192.2.zen.spamhaus.org has address 127.0.0.11
            115.243.105.37.zen.spamhaus.org has address 127.0.0.11
            151.140.42.77.zen.spamhaus.org has address 127.0.0.11
            122.36.65.77.zen.spamhaus.org has address 127.0.0.11
            217.169.60.85.zen.spamhaus.org has address 127.0.0.11
            196.165.217.87.zen.spamhaus.org has address 127.0.0.11
            184.22.148.90.zen.spamhaus.org has address 127.0.0.11
            93.105.162.90.zen.spamhaus.org has address 127.0.0.11
            226.221.20.95.zen.spamhaus.org has address 127.0.0.11
            175.82.3.103.zen.spamhaus.org has address 127.0.0.11
            3.128.166.109.zen.spamhaus.org has address 127.0.0.11
            36.18.251.146.zen.spamhaus.org has address 127.0.0.11
            247.244.51.170.zen.spamhaus.org has address 127.0.0.11
            251.11.233.179.zen.spamhaus.org has address 127.0.0.11
            164.120.216.180.zen.spamhaus.org has address 127.0.0.11
            166.169.135.181.zen.spamhaus.org has address 127.0.0.11
            116.195.152.181.zen.spamhaus.org has address 127.0.0.11
            101.241.163.181.zen.spamhaus.org has address 127.0.0.11
            143.40.165.181.zen.spamhaus.org has address 127.0.0.11
            84.183.50.181.zen.spamhaus.org has address 127.0.0.11
            59.31.65.181.zen.spamhaus.org has address 127.0.0.11
            59.31.65.181.zen.spamhaus.org has address 127.0.0.11
            254.148.66.181.zen.spamhaus.org has address 127.0.0.11
            196.192.66.181.zen.spamhaus.org has address 127.0.0.11
            103.3.66.181.zen.spamhaus.org has address 127.0.0.11
            105.61.67.181.zen.spamhaus.org has address 127.0.0.11
            224.72.72.181.zen.spamhaus.org has address 127.0.0.11
            173.154.125.186.zen.spamhaus.org has address 127.0.0.11
            52.154.128.186.zen.spamhaus.org has address 127.0.0.11
            15.59.128.186.zen.spamhaus.org has address 127.0.0.11
            122.12.129.186.zen.spamhaus.org has address 127.0.0.11
            20.29.129.186.zen.spamhaus.org has address 127.0.0.11
            161.168.134.186.zen.spamhaus.org has address 127.0.0.11
            114.51.135.186.zen.spamhaus.org has address 127.0.0.11
            82.30.30.186.zen.spamhaus.org has address 127.0.0.11
            119.124.31.186.zen.spamhaus.org has address 127.0.0.11
            201.17.53.186.zen.spamhaus.org has address 127.0.0.11
            172.230.57.186.zen.spamhaus.org has address 127.0.0.11
            55.190.58.186.zen.spamhaus.org has address 127.0.0.11
            117.247.59.186.zen.spamhaus.org has address 127.0.0.11
            87.180.81.186.zen.spamhaus.org has address 127.0.0.11
            38.91.9.186.zen.spamhaus.org has address 127.0.0.11
            173.177.234.187.zen.spamhaus.org has address 127.0.0.11
            225.225.240.187.zen.spamhaus.org has address 127.0.0.11
            215.5.244.187.zen.spamhaus.org has address 127.0.0.11
            233.128.245.187.zen.spamhaus.org has address 127.0.0.11
            236.21.50.188.zen.spamhaus.org has address 127.0.0.11
            176.16.52.188.zen.spamhaus.org has address 127.0.0.11
            68.135.79.188.zen.spamhaus.org has address 127.0.0.11
            54.233.152.189.zen.spamhaus.org has address 127.0.0.11
            93.201.195.189.zen.spamhaus.org has address 127.0.0.11
            131.72.114.190.zen.spamhaus.org has address 127.0.0.11
            208.75.114.190.zen.spamhaus.org has address 127.0.0.11
            232.40.115.190.zen.spamhaus.org has address 127.0.0.11
            120.193.158.190.zen.spamhaus.org has address 127.0.0.11
            42.254.161.190.zen.spamhaus.org has address 127.0.0.11
            16.4.17.190.zen.spamhaus.org has address 127.0.0.11
            181.195.173.190.zen.spamhaus.org has address 127.0.0.11
            155.138.174.190.zen.spamhaus.org has address 127.0.0.11
            22.85.175.190.zen.spamhaus.org has address 127.0.0.11
            208.243.176.190.zen.spamhaus.org has address 127.0.0.11
            98.171.178.190.zen.spamhaus.org has address 127.0.0.11
            48.152.20.190.zen.spamhaus.org has address 127.0.0.11
            88.38.209.190.zen.spamhaus.org has address 127.0.0.11
            192.164.232.190.zen.spamhaus.org has address 127.0.0.11
            116.187.232.190.zen.spamhaus.org has address 127.0.0.11
            64.17.233.190.zen.spamhaus.org has address 127.0.0.11
            111.197.233.190.zen.spamhaus.org has address 127.0.0.11
            19.52.233.190.zen.spamhaus.org has address 127.0.0.11
            177.101.236.190.zen.spamhaus.org has address 127.0.0.11
            102.167.236.190.zen.spamhaus.org has address 127.0.0.11
            142.212.236.190.zen.spamhaus.org has address 127.0.0.11
            194.52.236.190.zen.spamhaus.org has address 127.0.0.11
            223.6.236.190.zen.spamhaus.org has address 127.0.0.11
            253.36.237.190.zen.spamhaus.org has address 127.0.0.11
            42.122.238.190.zen.spamhaus.org has address 127.0.0.11
            213.4.238.190.zen.spamhaus.org has address 127.0.0.11
            173.100.239.190.zen.spamhaus.org has address 127.0.0.11
            200.123.239.190.zen.spamhaus.org has address 127.0.0.11
            192.129.239.190.zen.spamhaus.org has address 127.0.0.11
            138.126.244.190.zen.spamhaus.org has address 127.0.0.11
            30.39.245.190.zen.spamhaus.org has address 127.0.0.11
            136.175.253.190.zen.spamhaus.org has address 127.0.0.11
            138.20.253.190.zen.spamhaus.org has address 127.0.0.11
            173.161.254.190.zen.spamhaus.org has address 127.0.0.11
            60.180.41.190.zen.spamhaus.org has address 127.0.0.11
            185.150.42.190.zen.spamhaus.org has address 127.0.0.11
            88.179.42.190.zen.spamhaus.org has address 127.0.0.11
            211.241.42.190.zen.spamhaus.org has address 127.0.0.11
            207.75.42.190.zen.spamhaus.org has address 127.0.0.11
            131.95.42.190.zen.spamhaus.org has address 127.0.0.11
            174.58.43.190.zen.spamhaus.org has address 127.0.0.11
            10.37.45.190.zen.spamhaus.org has address 127.0.0.11
            101.127.51.190.zen.spamhaus.org has address 127.0.0.11
            214.133.7.190.zen.spamhaus.org has address 127.0.0.11
            236.122.2.197.zen.spamhaus.org has address 127.0.0.11
            150.92.106.200.zen.spamhaus.org has address 127.0.0.11
            214.50.35.200.zen.spamhaus.org has address 127.0.0.11
            218.225.63.200.zen.spamhaus.org has address 127.0.0.11
            123.71.86.200.zen.spamhaus.org has address 127.0.0.11
            47.27.189.201.zen.spamhaus.org has address 127.0.0.11
            195.14.230.201.zen.spamhaus.org has address 127.0.0.11
            160.26.230.201.zen.spamhaus.org has address 127.0.0.11
            3.251.240.201.zen.spamhaus.org has address 127.0.0.11
            205.123.250.201.zen.spamhaus.org has address 127.0.0.11
            202.45.250.201.zen.spamhaus.org has address 127.0.0.11
          Your message has been successfully submitted and would be delivered to recipients shortly.