POP3 DoS attacks and mailanyone.net?

up at 3.am up at 3.am
Tue Sep 1 19:28:35 UTC 2009


For the first time since I can remember, my POP3 server was effectively 
shut down by too many simultaneous connections today.  The first fix I 
tried was to raise the number of connections from the default 40 to 100, 
but the problem soon returned.

I finally ipfw'd off the offending IP (98.190.204.2 for anyone 
interested), then went to look for other possible offenders in the log.  I 
noticed several thousand connections today to a few dozen former users 
from 4 IPs from 208.70.128.0/21.  One of the users was actually 
legitimate.

These IPs belong to mailanyone.net.  The tech contact in their ARIN record 
is listed as:

OrgTechHandle: BHE57-ARIN
OrgTechName:   Heitman, Bryan
OrgTechPhone:  +1-816-587-4700
OrgTechEmail:  hostmaster at mailanyone.net

However, that phone number goes to a UPS store that has no idea what I'm 
talking about.  I then dialed their suppseod NOC number:

Comment:    FuseMail, LLC Network Operations Center contact
Comment:    877.888.3873 x3

I am on hold with that number right now with some very loud and annoying 
music.

Can anyone offer any insight as to these people and how/who to deal with 
there?

Would a provider be amiss to just block their entire /21?

TIA,

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================




More information about the NANOG mailing list