Persistent connects and disconnects

baldur2630 · 12-04-2013, 04:49 AM

Can anyone offer any explanation as to why my mail server is being bombarded 24 x 7 by ebay.com?

We don't have an account with eBay.com (USA) we have an account with eBay UK. We don't buy from the USA because of the import duty and VAT.

For weeks now, I've been bombarded by ebay using lots of different IP Addresses. They don't send any mail, they just connect and then disconnect. My logs show me the connects and disconnects but not what they are trying to do. I'm surmising, that they are trying to guess the admin / root password for the server.

I block these IP Addresses on my Firewall, but like the Hydra, if I block one, 2 more spring up!

Here's an example from a single day - I block the IP Addresses and the next day, I get even more!

Code:

01:25:35 36E DMN: MSG 296 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
01:25:35 36E DMN: MSG 296 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
01:56:12 36E DMN: MSG 299 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
01:56:12 36E DMN: MSG 299 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)
02:00:00 25C ****** 11-27-13 02:00:00 ******
02:14:09 36E DMN: MSG 300 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
02:14:09 36E DMN: MSG 300 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
03:10:52 36E DMN: MSG 305 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
03:10:52 36E DMN: MSG 305 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)
03:11:47 366 DMN: MSG 306 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
03:11:47 366 DMN: MSG 306 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
03:51:15 366 DMN: MSG 307 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
03:51:15 366 DMN: MSG 307 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
04:00:00 25C ****** 11-27-13 04:00:00 ******
04:10:02 366 DMN: MSG 308 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
04:10:02 366 DMN: MSG 308 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
04:27:11 366 DMN: MSG 309 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
04:27:11 366 DMN: MSG 309 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
04:34:30 366 DMN: MSG 310 Accepted connection: [66.211.185.187] (mxphxpool1084.ebay.com)
04:34:30 366 DMN: MSG 310 SMTP session ended: [66.211.185.187] (mxphxpool1084.ebay.com)
05:12:19 366 DMN: MSG 312 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
05:12:19 366 DMN: MSG 312 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
05:17:01 366 DMN: MSG 313 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
05:17:01 366 DMN: MSG 313 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
05:29:22 366 DMN: MSG 317 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
05:29:22 366 DMN: MSG 317 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)
05:36:17 366 DMN: MSG 318 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
05:36:17 366 DMN: MSG 318 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
06:00:00 25C ****** 11-27-13 06:00:00 ******
06:11:10 366 DMN: MSG 319 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
06:11:10 366 DMN: MSG 319 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
07:00:00 25C ****** 11-27-13 07:00:00 ******
07:06:29 366 DMN: MSG 320 Accepted connection: [66.211.185.187] (mxphxpool1084.ebay.com)
07:06:29 366 DMN: MSG 320 SMTP session ended: [66.211.185.187] (mxphxpool1084.ebay.com)
07:09:19 366 DMN: MSG 321 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
07:09:19 366 DMN: MSG 321 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
07:29:55 366 DMN: MSG 324 Accepted connection: [66.211.185.187] (mxphxpool1084.ebay.com)
07:29:55 366 DMN: MSG 324 SMTP session ended: [66.211.185.187] (mxphxpool1084.ebay.com)
07:32:11 366 DMN: MSG 325 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
07:32:11 366 DMN: MSG 325 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
08:08:10 366 DMN: MSG 331 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
08:08:10 366 DMN: MSG 331 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
08:43:07 366 DMN: MSG 334 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
08:43:07 366 DMN: MSG 334 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
08:51:47 366 DMN: MSG 335 Accepted connection: [66.211.185.187] (mxphxpool1084.ebay.com)
08:51:47 366 DMN: MSG 335 SMTP session ended: [66.211.185.187] (mxphxpool1084.ebay.com)
09:00:00 25C ****** 11-27-13 09:00:00 ******
09:33:04 366 DMN: MSG 336 Accepted connection: [66.211.185.187] (mxphxpool1084.ebay.com)
09:33:04 366 DMN: MSG 336 SMTP session ended: [66.211.185.187] (mxphxpool1084.ebay.com)
10:00:00 25C ****** 11-27-13 10:00:00 ******
10:03:14 366 DMN: MSG 337 Accepted connection: [66.211.185.187] (mxphxpool1084.ebay.com)
10:03:14 366 DMN: MSG 337 SMTP session ended: [66.211.185.187] (mxphxpool1084.ebay.com)
10:08:32 366 DMN: MSG 338 Accepted connection: [66.211.184.70] (mxphxpool1004.ebay.com)
10:08:32 366 DMN: MSG 338 SMTP session ended: [66.211.184.70] (mxphxpool1004.ebay.com)
10:09:33 36E DMN: MSG 339 Accepted connection: [66.211.185.175] (mxphxpool1072.ebay.com)
10:09:33 36E DMN: MSG 339 SMTP session ended: [66.211.185.175] (mxphxpool1072.ebay.com)
10:18:06 36E DMN: MSG 342 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
10:18:06 36E DMN: MSG 342 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
11:17:43 366 DMN: MSG 352 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
11:17:43 366 DMN: MSG 352 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
11:45:01 366 DMN: MSG 355 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
11:45:01 366 DMN: MSG 355 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
12:11:45 366 DMN: MSG 359 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
12:11:45 366 DMN: MSG 359 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)
12:13:01 366 DMN: MSG 360 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
12:13:01 366 DMN: MSG 360 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
12:14:28 366 DMN: MSG 361 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
12:14:28 366 DMN: MSG 361 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
12:40:44 366 DMN: MSG 362 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
12:40:44 366 DMN: MSG 362 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)
12:43:01 366 DMN: MSG 363 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
12:43:01 366 DMN: MSG 363 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
13:08:17 366 DMN: MSG 368 Accepted connection: [66.135.215.99] (mxslcpool33.ebay.com)
13:08:17 366 DMN: MSG 368 SMTP session ended: [66.135.215.99] (mxslcpool33.ebay.com)
13:17:42 366 DMN: MSG 372 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
13:17:42 366 DMN: MSG 372 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)
13:25:55 366 DMN: MSG 373 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
13:25:55 366 DMN: MSG 373 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
13:39:47 366 DMN: MSG 374 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
13:39:47 366 DMN: MSG 374 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)
14:09:46 366 DMN: MSG 377 Accepted connection: [66.211.185.135] (mxphxpool1032.ebay.com)
14:09:46 366 DMN: MSG 377 SMTP session ended: [66.211.185.135] (mxphxpool1032.ebay.com)
14:34:29 366 DMN: MSG 380 Accepted connection: [66.211.185.173] (mxphxpool1070.ebay.com)
14:34:29 366 DMN: MSG 380 SMTP session ended: [66.211.185.173] (mxphxpool1070.ebay.com)

I complained to eBay UK, but they were VERY unhelpful and basically told me to bog off. I complained to eBay USA, but got no reply and the number of attempts shot up yet again!

Any ideas / comments / suggestions? Anyone else got this unacceptable behavior wasting their bandwidth?

berndbausch · 12-04-2013, 05:54 AM

SMTP = email. Have you checked /var/log/maillog?

baldur2630 · 12-04-2013, 06:28 AM

Actually this is a GroupWise Server, so I don't have a /var/log/maillog.

Noway2 · 12-04-2013, 01:47 PM

As a stop gap measure, you might try blocking the entire range of Ebay mail servers. This older thread has a lengthy discussion of how to obtain the information, which amounts to two steps: 1) find the ASN which you can do with one of the IP addresses, 2) get the range of addresses associated with the ASN.

The short answer to do this can be found here (I used the cidr-report site and changed to the ASN associated with those mail servers). You should be able to block all of the hydra heads with 11 ranges (see below). I would start with the 66.135 and 66.211 ranges as these seem to be what is causing your problem and see if it migrates from there.

Code:

  64.68.78.0/23   
  66.135.192.0/19 
  66.211.160.0/19 
  216.32.120.0/24 
  216.33.244.0/22 
  216.33.252.0/23 
  216.113.160.0/20
  216.113.170.0/24
  216.113.172.0/23
  216.113.175.0/24
  216.113.176.0/20

If I were to venture a guess, and it is purely a wild guess, it would be that someone has managed to post a script embedded into an ebay item that is a form of spam generator and it is looking for mail servers to exploit. If you are able to get anyone at Ebay to acknowledge you, it may be helpful if you could provide additional log information or even a packet or header capture from this traffic.

baldur2630 · 12-04-2013, 02:34 PM

I'll try that. I get sick to my stomach at the number of hackers, spy-bots and spammers that exist out there.