[gull] Auto-discard notification
felix
felix at f-hauri.ch
Wed Nov 11 10:43:28 CET 2020
Bonjour,
Ce mail étant long, veuillez NE PAS le reprendre en entier dans vos réponses!
Pour info, depuis deux jours, je commence à revecoir des nouvelles inscriptions
au gull... d'un certain James Smith...
On Wed, Nov 11, 2020 at 08:21:07AM +0100, gull-bounces at forum.linux-gull.ch wrote:
> The attached message has been automatically discarded.
...
> To: gull at government.linux-gull.ch
> Subject: Undelivered Mail Returned to Sender
> ... said: 550 Sender email address rejected (in reply to RCPT TO command)
...
> Date: Wed, 11 Nov 2020 08:21:00 +0100 (CET)
> From: GULL Webmaster <webmaster at linux-gull.ch>
> Subject: Inscription au GULL
>
> Bonjour,
>
> Nous avons bien enregistré votre demande d'inscription au Gull...
>
> Prenom: James
> Nom: Smith
> Societe: mbirgucrje
> Adresse: Muchas gracias. ?Como puedo iniciar sesion?
> Ville: 90002 Los Angeles
>
J'ai donc ``provisoirement'' redirigé https://www.linux-gull.ch/cgi-bin/admin.pl
(Vite fait, en attendant une résurection officielle du gull, ou autre...;)
Voilà...
Pour les plus curieux, voici les ip des 47 requêtes que je trouve dans les logs
depuis hier... (classées d'après requêtes whois)
109.70.100.53 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY
185.56.171.94 -> 185.56.168.0/22 1 IT IT-ARMADA-20140506
179.43.160.235 -> 179.0.0.0/8 1 PA LACNIC-179
31.220.40.239 -> 31.220.40.0/23 1 BZ BZ-ESCUR1
199.249.230.162 -> 199.249.230.0/24 1 US QUINTEX230
185.220.102.4 -> 185.220.102.0/27 1 DE ZWIEBELFREUNDE
185.220.102.241 -> 185.220.102.240/28 1 DE DIGITALCOURAGE-EXITS
89.34.27.48 -> 89.34.27.0/24 1 RO NETACTION-TELECOM-SRL
31.220.40.163 -> 31.220.40.0/23 2 BZ BZ-ESCUR1
185.220.101.137 -> 185.220.101.0/24 1 DE MK-TOR-EXIT
185.220.101.145 -> 185.220.101.0/24 2 DE MK-TOR-EXIT
185.100.86.128 -> 185.100.86.0/24 1 FI FlokiNET-Finland
185.220.102.251 -> 185.220.102.240/28 2 DE DIGITALCOURAGE-EXITS
185.220.101.203 -> 185.220.101.0/24 3 DE MK-TOR-EXIT
178.175.131.194 -> 178.175.128.0/18 1 MD TRABIA
109.70.100.41 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY
51.210.242.106 -> 51.210.242.0/23 1 FR VPS-SBG6
89.31.57.5 -> 89.31.56.0/21 1 NL NL-UNITHOST-20060824
51.195.148.18 -> 51.195.148.0/22 1 GB VPS-UK2
87.118.122.30 -> 87.118.96.0/19 1 DE DE-KEYWEB-III
179.43.160.238 -> 179.0.0.0/8 2 PA LACNIC-179
91.250.242.12 -> 91.250.242.0/24 1 RO RO-NAV-20120914
205.185.125.216 -> 205.185.112.0/20 1 US PONYNET-03
104.244.77.95 -> 104.244.72.0/21 1 LU BUYVM-LUXEMBOURG-01
109.70.100.39 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY
185.220.100.254 -> 185.220.100.240/28 1 DE TOR-EXIT
176.10.99.200 -> 176.10.99.192/27 1 ch ACCESSNOW
185.220.101.4 -> 185.220.101.0/24 4 DE MK-TOR-EXIT
51.210.243.206 -> 51.210.242.0/23 2 FR VPS-SBG6
109.70.100.49 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY
51.210.242.100 -> 51.210.242.0/23 3 FR VPS-SBG6
146.59.225.195 -> 146.59.225.0/24 1 FR VPS-GRA8
51.195.103.56 -> 51.195.100.0/22 1 DE VPS-DE2
199.249.230.109 -> 199.249.230.0/24 2 US QUINTEX230
195.144.21.219 -> 195.144.21.0/24 1 AT BlackHOST-CLOUD
185.220.101.134 -> 185.220.101.0/24 5 DE MK-TOR-EXIT
185.220.100.248 -> 185.220.100.240/28 2 DE TOR-EXIT
199.195.250.77 -> 199.195.248.0/21 1 US PONYNET-05
51.15.1.221 -> 51.15.0.0/18 1 NL ONLINE_NET_DEDICATED_SERVERS_NL
130.225.244.90 -> 130.225.0.0/14 1 DK DK-DENET-19881021
51.15.235.211 -> 51.15.0.0/16 1 FR ONLINE_NET_DEDICATED_SERVERS
199.249.230.183 -> 199.249.230.0/24 3 US QUINTEX230
185.220.101.129 -> 185.220.101.0/24 6 DE MK-TOR-EXIT
51.210.242.130 -> 51.210.242.0/23 4 FR VPS-SBG6
109.70.100.58 -> 109.70.100.0/25 1 AT TOR-EXIT--FOUNDATION-FOR-APPLIED-PRIVACY
51.210.242.100 -> 51.210.242.0/23 5 FR VPS-SBG6
192.42.116.17 -> 192.42.116.0/27 1 NL TOR-EXIT-HVIV
Hint: 47, request: 32
Je n'ai qu'une seule requête POST par IP. L'assaillant semble passer par TOR.
Voici donc les 46 interval de temps entre les requêtes POST (en secondes) et
l'interval entre le GET et le POST (très court)
10/11 07:38:45 2195 1 10/11 09:12:34 5628 1 10/11 16:38:20 26745 1
10/11 20:36:10 14269 2 10/11 20:57:22 1270 1 10/11 21:07:33 610 2
10/11 21:36:59 1764 1 10/11 21:50:25 805 1 10/11 22:02:33 727 2
10/11 22:12:08 573 2 10/11 22:13:17 67 2 10/11 22:49:03 2144 2
10/11 22:58:10 545 1 10/11 23:37:22 2351 1 10/11 23:51:17 834 3
10/11 23:53:53 153 1 10/11 23:54:40 46 2 11/11 00:01:00 378 1
11/11 00:19:24 1103 1 11/11 00:34:54 929 1 11/11 00:53:52 1137 1
11/11 02:06:05 4332 3 11/11 02:25:36 1168 1 11/11 02:32:45 428 0
11/11 02:40:26 461 2 11/11 02:42:50 142 1 11/11 02:56:47 836 2
11/11 03:34:25 2256 3 11/11 03:34:50 22 1 11/11 03:45:46 655 3
11/11 04:00:01 852 2 11/11 04:03:42 219 1 11/11 04:19:34 951 2
11/11 04:25:09 333 1 11/11 04:25:59 49 1 11/11 05:28:06 3726 2
11/11 05:39:45 697 2 11/11 05:42:19 152 1 11/11 06:17:53 2133 3
11/11 06:25:52 476 2 11/11 06:34:02 488 9 11/11 06:44:19 608 4
11/11 07:05:17 1254 1 11/11 07:42:34 2236 1 11/11 08:04:38 1323 2
11/11 08:20:58 978 1
Cela ressemble à un job manuel...
--
Félix Hauri - <felix at f-hauri.ch> - http://www.f-hauri.ch
More information about the gull
mailing list