[117093] in North American Network Operators' Group
POP3 DoS attacks and mailanyone.net?
daemon@ATHENA.MIT.EDU (up@3.am)
Tue Sep 1 15:29:23 2009
Date: Tue, 1 Sep 2009 15:28:35 -0400 (EDT)
From: up@3.am
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
For the first time since I can remember, my POP3 server was effectively
shut down by too many simultaneous connections today. The first fix I
tried was to raise the number of connections from the default 40 to 100,
but the problem soon returned.
I finally ipfw'd off the offending IP (98.190.204.2 for anyone
interested), then went to look for other possible offenders in the log. I
noticed several thousand connections today to a few dozen former users
from 4 IPs from 208.70.128.0/21. One of the users was actually
legitimate.
These IPs belong to mailanyone.net. The tech contact in their ARIN record
is listed as:
OrgTechHandle: BHE57-ARIN
OrgTechName: Heitman, Bryan
OrgTechPhone: +1-816-587-4700
OrgTechEmail: hostmaster@mailanyone.net
However, that phone number goes to a UPS store that has no idea what I'm
talking about. I then dialed their suppseod NOC number:
Comment: FuseMail, LLC Network Operations Center contact
Comment: 877.888.3873 x3
I am on hold with that number right now with some very loud and annoying
music.
Can anyone offer any insight as to these people and how/who to deal with
there?
Would a provider be amiss to just block their entire /21?
TIA,
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
=========================================================================
