spamassassin-sysadmins mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <kevin.mcgr...@mcgrail.com>
Subject Re: Mailserver at 52.169.9.191
Date Tue, 07 Nov 2017 13:11:11 GMT
+sysadmins@s.a.o
-Microsoft

Hi Matthias,

It's the only time I have ever seen it abused to be honest. I added the 
Azure abuse team so it should get resolved and they responded that they 
are escalating it to their CERT team. Plus I am curious what the hell is 
going on so I'll ask them to follow-up

How did you figure out it was the brain dev company Btw? I didn't see 
the connection.  Also, I think they had a webmail interface up at 
52.169.9.191 and it appears to be offline now. Guessing the abuse team 
cut the machine off.

I did an outright drop on the IP.  I just removed it and appear to no 
longer have the 3 second monster.  Thanks for noticing it.

One thing that would be cool is a heat-map/aggregation of the sa-update 
data which might also find issues like this but also show useful 
information like where our sa-update mirrors are getting used most, 
identify the actual aggregated load, etc.  Thoughts?

Regards,
KAM

On November 6, 2017 10:51:10 PM PST, Matthias Leisi <matthias@dnswl.org> 
wrote:

    Btw., I 403’d this IP in my local config.

    Maybe we could distribute a .htaccess file with the update files as
    a workaround for such issues?

    — Matthias

    <https://www.dnswl.org/>
    Matthias Leisi, Project Leader dnswl.org <https://www.dnswl.org/>
    Mail reputation – Protect against false positives

    matthias@dnswl.org <mailto:matthias@dnswl.org> | Twitter: @dnswlorg
    <https://twitter.com/dnswlorg>


>     Am 07.11.2017 um 04:35 schrieb Kevin A. McGrail
>     <kevin.mcgrail@mcgrail.com <mailto:kevin.mcgrail@mcgrail.com>>:
>
>     +Microsoft Abuse:
>
>     After further research the machine at 52.169.9.191 is causing
>     2/3's of our SpamAssassin Update server traffic for the last
>     month.  Please rectify this immediately.
>
>     Regards
>     KAM
>
>     On 11/5/2017 3:30 PM, Matthias Leisi wrote:
>>     Hello,
>>
>>     We run one of the mirrors used by sa-update. From our logs, we
>>     see that the IP address 52.169.9.191 (which seems to be
>>     mail.brainloopdevops.com <http://mail.brainloopdevops.com/>, and
>>     for which whois shows your email address) runs sa-update about
>>     once every three seconds. Generally, once a day is the suggested
>>     update frequency (https://wiki.apache.org/spamassassin/RuleUpdates).
>>
>>     Please change the update frequency to an acceptable level.
>>
>>     Regards,
>>     — Matthias, for the dnswl.org <http://dnswl.org/> project
>>
>>
>>
>>     <dnswlorg_logo.png> <https://www.dnswl.org/>
>>     Matthias Leisi, Project Leader dnswl.org <https://www.dnswl.org/>
>>     Mail reputation – Protect against false positives
>>
>>     matthias@dnswl.org <mailto:matthias@dnswl.org> | Twitter:
>>     @dnswlorg <https://twitter.com/dnswlorg>
>>
>>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message