Patrick's Rants



4/6/2016

Hello Roadrunner, goodbye

Filed under: Geek News and Stuff — site admin @ 7:36 am

On my server I run Fail2ban to try to catch spammers, bots and other types of annoyances that those who run servers see every day. Recently I sent a couple of emails showing banned hosts from my server. These are typical reports from fail2ban showing how and from where a particular attempt (usually log in) has failed. It was – and always is – my intent to get the ISP to check into the address of the user to figure out what is happening on their network.

And so:

The IP 24.97.75.66 has made multiple attempts to authorize against my
mail server. It is in danger of being permanently blocked.

From: Fail2Ban [redacted]
To: [redacted]
Subject: [Fail2Ban] Dovecot-Auth: banned 24.97.75.66 from rwcinc.net
Date: Wed, 23 Mar 2016 13:21:42 -0700

Hi,

The IP 24.97.75.66 has just been banned by Fail2Ban after
3 attempts against Dovecot-Auth.

I attached around 5 emails that showed the same IP being blocked after 5 attempts each so there is something happening at that address.

I got a response a few days later. I can’t tell if they did anything about it or are just telling me that they don’t bother to read attached, forwarded emails.

Hello,

If you are reporting an e-mail related incident, and you check your email via our webmail service,
you can select all of the spam in your inbox and click on the “Report spam” button, this will send
your spam with all needed information to spamblock@postmaster.rr.com so they can improve our spam
filters.

Bla bla bla….

Road Runner will not accept logs that are not in plain text (ascii) format. Do not attach files to
your e-mail. All logs must be included in the body of the message.

So this is the part I’m not sure about. I guess I can check to see if I continue to get Fail2ban reports on the offensive IP and proceed to block the entire netblock because some admin doesn’t want to read an attachment…

[update 4/6/16]
Yes, there is another set of login attempts requiring the following email:

This is my second report to you. My first included copies of six such
automated and temporary bans. I am unsure if any action was taken by
RR/Time Warner as there was no clear indication that you did actually
review and take action to prevent this connection’s unauthorized access
attempt.

Please let me know that you have taken steps to correct the
unauthorized access attempts from your network.

We’ll see if there is any more satisfactory response.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress
Comments, opinions and drivel © the poster. Satire protected under Fair Use. Opinion protected under First Amendment (see: Constitution of the United States)
Nothing on this site should be construed as tax, legal, or investment advice. If you need any of those things, seek out a professional whom you can pay for such advice. Posters cannot be held liable for your failure to perform your own due diligence.