22.214.171.124/32 (root IP: 126.96.36.199) (PTR: 565.hil.abcvg.ovh.) was added to the blackholes.tepucom.nl RBLDNS for the following reason:
«Caught scanning for web/mail exploits / compromised hosts»
BEWARE: AUTOMATIC DELISTING POLICY — DO NOT REQUEST DELISTING
The blackholes.tepucom.nl RBLDNS has an automated removal policy. The MINIMUM amount of days that 188.8.131.52 will be blacklisted depends on the amount of times 184.108.40.206 was blacklisted by us before. The current blacklist status for 220.127.116.11 is:
[ strike 1: 1 day minimum ]
The countdown to automatic delisting starts at the timestamp of this notification. Listings will ONLY be removed after the minimum blacklisting period (see ‘strike’) has lapsed. Delistings will be retried once every day.
A direct reply to this e-mail will not reach us. If you need to get in touch with us, the only point of contact is <firstname.lastname@example.org>. Requests for manual delisting (or exemption) must be properly motivated and must contain a structural solution to be actionable.
The current automatic delisting periods for single IP addresses (/32) are:
* strike 1: after a minimum of 1 day
* strike 2: after a minimum of 3 days
* strike 3: after a minimum of 7 days
* strike 4: after a minimum of 30 days
* strike 5: after a minimum of 90 days
* strike > 5: after a minimum of 365 days
Expanded listings (listings greater than a single IP address (/29, /26, /24, etc.)) are always listed for a minimum of 365 days.
Why did *YOU* get this e-mail?
We like to operate in a transparent and predictable fashion and think you should be made aware of abuse emanating from your IP space; so we will inform you about blacklisting. Your e-mail address <email@example.com> was retrieved (best-guessed) automatically from public WHOIS data and other IP/domain-related information. If <firstname.lastname@example.org> is not the correct e-mail address to report spam and security issues inside your network(s), please send us the correct address and the associated IP ranges (or AS) at email@example.com (do not reply to this e-mail!) and we will adjust it accordingly. Please do not ask us to use a web form!
Check http://multirbl.valli.org/dnsbl-lookup/18.104.22.168.html, https://blocklist.info?22.214.171.124, and https://www.abuseipdb.com/check/126.96.36.199 for possible other issues with 188.8.131.52/32.
If there is any spam evidence related to this listing, a separate notification will be mailed to you.
Note that we also blacklist (and expand blacklistings) based on mail flow analysis and DNS/BGP/AS/RIR/LIR data without actual spam samples on file. When we block/blacklist spam ‘a priori’ (based on e.g. external blacklistings, blocked words, phrases, or untrusted top-level domains in any part of the initial SMTP transaction, in other words: before actually accepting the email), no spam samples may be on file.
Warning: the continued presence of either an ‘SBL’ or an ‘XBL’ listing at https://www.spamhaus.org/query/ip/184.108.40.206 will lead to automatic (re)listing when 220.127.116.11 contacts any of our servers, and it will prevent automatic delisting from the blackholes.tepucom.nl RBLDNS. Make sure to delist when your problem is solved.
Is 18.104.22.168/32 listed in the Spamhaus CSS / Spamhaus SBL? No.
Is 22.214.171.124/32 listed in the Spamhaus XBL / Abuseat CBL? No.
Below is an overview of recently recorded abusive activity from 126.96.36.199/32 (time zone: CEST)
Fields: IP / Contacted host / Local time / Log line (see notes below)
188.8.131.52 hail.bengrimm.net 20200929/04:49:39 04:49:29.312524 rule 7/0(match): block in on em1: 184.108.40.206.45147 > 220.127.116.11.23: Flags [S], seq 1601432699, win 0, options [mss 1460], length 0
* Any line containing a ‘GET’ or a ‘POST’ request refers to an attempt to access, exploit, or test for, a vulnerability or an attack vector on a webserver. The most prevalent attempts are ‘wp-login’ and ‘wp-admin’, and Joomla/Drupal equivalents. We host zero WordPress/Joomla/Drupal installations. This is usually a sign of a computer that is itself infected with a trojan or other malware, and is looking to infect other machines.
* Any line containing the word ‘OK’, including a preceding port number (e.g. ‘:25’, ‘:465’, ‘:587’), generally refers to either a failed SMTP authentication attempt or an attempt to push e-mail before the receiving server has given permission to do so.
* If the line contains ‘OK’, but a different port is listed (e.g. ‘:22’), it concerns an unauthorized and unwanted connection attempt to that port.
* Any line containing the word ‘fail2ban.actions’ refers to either a failed SMTP/POP3/IMAP/FTP authentication attempt, or an unauthorized connection attempt; the exact type of connection can usually be derived from the associated keywords, e.g. courierimap (POP3/IMAP), pfix (SMTP), proftpd (FTP), etc.
* We will not help you solve your problem. Please talk to a professional systems administrator, and/or scan your system using up-to-date antivirus software, and/or talk to your ISP or hoster.
Current blackholes.tepucom.nl listings in 18.104.22.168/32:
22.214.171.124/32 Caught scanning for web/mail exploits / compromised hosts [strike 1: 1 day minimum] @@1601347754
Tepucom Abuse Dept. <firstname.lastname@example.org>
blackholes.tepucom.nl / DNSRBL since 1997
(formerly known as blackholes.wirehub.net
Policy Enforcement Specialist