On my server I run Fail2ban to try to catch spammers, bots and other types of annoyances that those who run servers see every day. Recently I sent a couple of emails showing banned hosts from my server. These are typical reports from fail2ban showing how and from where a particular attempt (usually log in) has failed. It was – and always is – my intent to get the ISP to check into the address of the user to figure out what is happening on their network.
The IP 22.214.171.124 has made multiple attempts to authorize against my
mail server. It is in danger of being permanently blocked.
From: Fail2Ban [redacted]
Subject: [Fail2Ban] Dovecot-Auth: banned 126.96.36.199 from rwcinc.net
Date: Wed, 23 Mar 2016 13:21:42 -0700
The IP 188.8.131.52 has just been banned by Fail2Ban after
3 attempts against Dovecot-Auth.
I attached around 5 emails that showed the same IP being blocked after 5 attempts each so there is something happening at that address.
I got a response a few days later. I can’t tell if they did anything about it or are just telling me that they don’t bother to read attached, forwarded emails.
If you are reporting an e-mail related incident, and you check your email via our webmail service,
you can select all of the spam in your inbox and click on the “Report spam” button, this will send
your spam with all needed information to firstname.lastname@example.org so they can improve our spam
Bla bla bla….
Road Runner will not accept logs that are not in plain text (ascii) format. Do not attach files to
your e-mail. All logs must be included in the body of the message.
So this is the part I’m not sure about. I guess I can check to see if I continue to get Fail2ban reports on the offensive IP and proceed to block the entire netblock because some admin doesn’t want to read an attachment…
Yes, there is another set of login attempts requiring the following email:
This is my second report to you. My first included copies of six such
automated and temporary bans. I am unsure if any action was taken by
RR/Time Warner as there was no clear indication that you did actually
review and take action to prevent this connection’s unauthorized access
Please let me know that you have taken steps to correct the
unauthorized access attempts from your network.
We’ll see if there is any more satisfactory response.