What's with all the "l*.it" connections?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

What's with all the "l*.it" connections?

koocr
Hi

Kinda OT - as long as I didn't screw something up!

I'm just about ready to pull the trigger on moving our old Communigate mail system to a new, self-installed Postfix system.

It's been running in test for just a coupled of users for a few weeks now and looks really good!

I got postscreen set up out in front.  It's been doing its thing.   LOTS of bad connections rejected.

I'm curious about one group though.  I see LOTS of these PREGREET rejections,

postfix/postscreen[19344]: PREGREET 18 after 2.8 from [162.247.47.3]:50251: EHLO luckybet.it\r\n
postfix/postscreen[19344]: PREGREET 18 after 1.1 from [81.161.61.88]:34465: EHLO loveless.it\r\n
postfix/postscreen[19736]: PREGREET 24 after 1.8 from [91.112.99.78]:35052: EHLO livingbusiness.it\r\n
postfix/postscreen[18737]: PREGREET 19 after 1.5 from [114.134.186.242]:46697: EHLO luxexcess.it\r\n
postfix/postscreen[8723]: PREGREET 19 after 1.9 from [27.72.61.48]:52475: EHLO lrmmotors.it\r\n
postfix/postscreen[11663]: PREGREET 24 after 0.29 from [185.14.148.75]:32772: EHLO livingbusiness.it\r\n
postfix/postscreen[1006]: PREGREET 24 after 0.62 from [85.206.108.197]:42895: EHLO lucanatractors.it\r\n
postfix/postscreen[46632]: PREGREET 18 after 0.47 from [216.183.32.98]:35106: EHLO logoplus.it\r\n
postfix/postscreen[58868]: PREGREET 18 after 0.74 from [202.44.209.103]:59547: EHLO lsgenius.it\r\n
postfix/postscreen[4256]: PREGREET 14 after 0.25 from [109.167.126.232]:38735: EHLO lius.it\r\n
postfix/postscreen[48352]: PREGREET 22 after 0.49 from [163.53.196.62]:57559: EHLO lprockevents.it\r\n
postfix/postscreen[60214]: PREGREET 22 after 0.25 from [77.77.208.166]:49135: EHLO lprockevents.it\r\n
postfix/postscreen[49004]: PREGREET 21 after 0.64 from [111.223.75.181]:6372: EHLO litoexpress.it\r\n
postfix/postscreen[14811]: PREGREET 18 after 2.8 from [202.52.114.67]:60524: EHLO lovechat.it\r\n
postfix/postscreen[60742]: PREGREET 18 after 0.84 from [118.70.196.124]:46965: EHLO lumpress.it\r\n
postfix/postscreen[42958]: PREGREET 14 after 0.51 from [196.3.99.146]:60306: EHLO loss.it\r\n
postfix/postscreen[37825]: PREGREET 20 after 0.79 from [106.242.20.219]:41046: EHLO liscalinet.it\r\n
postfix/postscreen[17720]: PREGREET 18 after 1.4 from [116.90.237.106]:60570: EHLO loudness.it\r\n
postfix/postscreen[6898]: PREGREET 17 after 1.9 from [195.206.4.16]:46177: EHLO litosat.it\r\n
postfix/postscreen[1089]: PREGREET 26 after 0.49 from [154.117.183.182]:46857: EHLO littleitalytours.it\r\n
postfix/postscreen[6775]: PREGREET 15 after 0.83 from [106.242.20.219]:36543: EHLO logus.it\r\n
postfix/postscreen[10609]: PREGREET 18 after 0.57 from [213.172.158.83]:37427: EHLO loudness.it\r\n
postfix/postscreen[18542]: PREGREET 25 after 0.6 from [103.30.115.162]:46627: EHLO lookandwellness.it\r\n
postfix/postscreen[13215]: PREGREET 18 after 0.45 from [204.186.238.70]:47806: EHLO lpmotors.it\r\n
postfix/postscreen[20772]: PREGREET 22 after 1.1 from [186.74.221.210]:56709: EHLO lithoexpress.it\r\n
postfix/postscreen[2378]: PREGREET 22 after 0.54 from [103.119.154.158]:55439: EHLO lunisiananet.it\r\n
postfix/postscreen[61999]: PREGREET 19 after 0.6 from [213.172.158.83]:46265: EHLO lomopress.it\r\n
postfix/postscreen[32872]: PREGREET 20 after 0.59 from [123.213.70.176]:58648: EHLO lithosplus.it\r\n
postfix/postscreen[65109]: PREGREET 20 after 0.26 from [185.14.148.66]:52145: EHLO lmprojects.it\r\n
postfix/postscreen[37657]: PREGREET 13 after 0.63 from [1.53.137.220]:45731: EHLO lts.it\r\n
postfix/postscreen[37657]: PREGREET 19 after 1.3 from [154.73.65.128]:55763: EHLO litopress.it\r\n
postfix/postscreen[31037]: PREGREET 19 after 0.27 from [185.51.92.84]:54902: EHLO lomopress.it\r\n
postfix/postscreen[10368]: PREGREET 18 after 0.72 from [208.117.223.98]:45109: EHLO lipravus.it\r\n
postfix/postscreen[48535]: PREGREET 24 after 2.1 from [41.77.188.81]:41777: EHLO logicalobjects.it\r\n
postfix/postscreen[63028]: PREGREET 21 after 0.37 from [213.155.174.69]:40953: EHLO lolafitness.it\r\n
postfix/postscreen[50201]: PREGREET 22 after 0.83 from [95.80.252.189]:33385: EHLO lmarchitects.it\r\n
postfix/postscreen[44347]: PREGREET 23 after 1.2 from [103.242.14.68]:51783: EHLO logudorotours.it\r\n
postfix/postscreen[21460]: PREGREET 18 after 1.2 from [202.52.248.254]:60991: EHLO lumpress.it\r\n
postfix/postscreen[29840]: PREGREET 19 after 0.44 from [81.161.61.88]:57190: EHLO litopress.it\r\n
postfix/postscreen[60823]: PREGREET 20 after 0.73 from [170.81.35.26]:47534: EHLO livingarts.it\r\n
postfix/postscreen[22293]: PREGREET 14 after 0.69 from [105.27.204.62]:54506: EHLO liss.it\r\n
postfix/postscreen[46148]: PREGREET 19 after 0.19 from [84.22.68.141]:40489: EHLO lunidomus.it\r\n
postfix/postscreen[47645]: PREGREET 24 after 0.27 from [31.45.240.154]:44741: EHLO lombardiplants.it\r\n
postfix/postscreen[16016]: PREGREET 24 after 0.31 from [109.164.113.55]:45769: EHLO livingwellness.it\r\n
postfix/postscreen[33083]: PREGREET 19 after 0.91 from [212.15.184.190]:37294: EHLO luxexcess.it\r\n
postfix/postscreen[15782]: PREGREET 13 after 3.5 from [213.109.235.231]:47086: EHLO lss.it\r\n
postfix/postscreen[17128]: PREGREET 18 after 1.2 from [156.0.229.194]:52543: EHLO logoplus.it\r\n
postfix/postscreen[29913]: PREGREET 19 after 3 from [211.35.67.133]:39552: EHLO logon-net.it\r\n
postfix/postscreen[63550]: PREGREET 18 after 0.26 from [38.124.142.1]:40168: EHLO loudness.it\r\n
postfix/postscreen[6545]: PREGREET 20 after 0.59 from [201.234.81.181]:39312: EHLO lubenglass.it\r\n
postfix/postscreen[6545]: PREGREET 20 after 0.44 from [186.167.49.210]:56644: EHLO lubenglass.it\r\n
postfix/postscreen[18082]: PREGREET 18 after 0.3 from [31.13.15.94]:38932: EHLO loveless.it\r\n
postfix/postscreen[6998]: PREGREET 24 after 0.37 from [62.4.54.158]:57491: EHLO lucanatractors.it\r\n
postfix/postscreen[23906]: PREGREET 16 after 0.59 from [186.72.74.70]:37214: EHLO livius.it\r\n
postfix/postscreen[61872]: PREGREET 23 after 1.8 from [210.246.240.254]:43956: EHLO logik-express.it\r\n
postfix/postscreen[17063]: PREGREET 24 after 0.31 from [81.93.88.31]:60832: EHLO logicalobjects.it\r\n
postfix/postscreen[18593]: PREGREET 22 after 1.8 from [112.222.61.180]:54434: EHLO logosexpress.it\r\n
postfix/postscreen[22656]: PREGREET 28 after 0.58 from [14.232.164.81]:39933: EHLO logisticequipments.it\r\n
postfix/postscreen[40990]: PREGREET 24 after 0.35 from [12.251.81.106]:46764: EHLO logicalobjects.it\r\n
postfix/postscreen[32663]: PREGREET 18 after 0.18 from [130.193.112.146]:51354: EHLO lpmotors.it\r\n
postfix/postscreen[45097]: PREGREET 22 after 0.73 from [112.218.73.138]:39999: EHLO lparchitects.it\r\n
postfix/postscreen[54357]: PREGREET 21 after 1.1 from [196.15.168.146]:51505: EHLO lolafitness.it\r\n
postfix/postscreen[15434]: PREGREET 17 after 0.58 from [196.201.124.62]:44139: EHLO logosys.it\r\n
postfix/postscreen[2145]: PREGREET 18 after 0.36 from [207.144.111.230]:35310: EHLO lpmotors.it\r\n
postfix/postscreen[3530]: PREGREET 20 after 0.33 from [69.55.156.243]:47403: EHLO livingarts.it\r\n
postfix/postscreen[53806]: PREGREET 24 after 0.93 from [123.143.224.42]:39585: EHLO lucanatractors.it\r\n
postfix/postscreen[53806]: PREGREET 17 after 0.68 from [110.235.249.30]:49326: EHLO lukkius.it\r\n
postfix/postscreen[657]: PREGREET 16 after 1.2 from [197.98.180.87]:38205: EHLO loriss.it\r\n
postfix/postscreen[1519]: PREGREET 22 after 1.4 from [69.55.156.243]:51380: EHLO lusettitours.it\r\n
postfix/postscreen[50946]: PREGREET 18 after 0.6 from [1.53.137.84]:39251: EHLO lumpress.it\r\n
postfix/postscreen[15987]: PREGREET 24 after 1 from [195.162.80.177]:58636: EHLO lucanatractors.it\r\n
postfix/postscreen[62461]: PREGREET 23 after 1.1 from [125.138.129.101]:56957: EHLO logudorotours.it\r\n
postfix/postscreen[21315]: PREGREET 25 after 2.7 from [41.77.188.81]:34077: EHLO livignowellness.it\r\n
postfix/postscreen[21315]: PREGREET 22 after 1.2 from [113.180.87.17]:47719: EHLO luckyplanets.it\r\n
postfix/postscreen[61116]: PREGREET 14 after 0.85 from [180.128.0.237]:47470: EHLO liss.it\r\n
postfix/postscreen[2964]: PREGREET 27 after 0.7 from [189.204.195.237]:33529: EHLO luoghicomunionlus.it\r\n
postfix/postscreen[54190]: PREGREET 21 after 0.45 from [193.106.57.37]:44301: EHLO losipallets.it\r\n
postfix/postscreen[3369]: PREGREET 21 after 1.1 from [14.232.160.197]:45808: EHLO luxuryclass.it\r\n
postfix/postscreen[62096]: PREGREET 25 after 0.25 from [83.147.153.226]:48004: EHLO lookandwellness.it\r\n
postfix/postscreen[6981]: PREGREET 23 after 0.85 from [1.53.137.84]:43648: EHLO logudorotours.it\r\n
postfix/postscreen[6827]: PREGREET 22 after 1.2 from [209.95.143.254]:34463: EHLO lithoexpress.it\r\n
postfix/postscreen[6827]: PREGREET 18 after 1.4 from [185.253.74.206]:40829: EHLO loveless.it\r\n
postfix/postscreen[55770]: PREGREET 22 after 1.1 from [63.151.9.74]:34966: EHLO lprockevents.it\r\n
postfix/postscreen[22241]: PREGREET 16 after 1.4 from [109.167.49.27]:37659: EHLO lovess.it\r\n
postfix/postscreen[25142]: PREGREET 20 after 0.83 from [41.79.82.46]:59997: EHLO london-bus.it\r\n
postfix/postscreen[13028]: PREGREET 19 after 0.54 from [66.208.117.227]:38984: EHLO logicanet.it\r\n
postfix/postscreen[19602]: PREGREET 20 after 0.62 from [195.182.22.92]:39172: EHLO longimanus.it\r\n
postfix/postscreen[23308]: PREGREET 30 after 0.79 from [1.212.181.131]:49371: EHLO luissuniversitypress.it\r\n
postfix/postscreen[17919]: PREGREET 16 after 0.36 from [72.252.4.194]:58254: EHLO luvass.it\r\n
postfix/postscreen[7823]: PREGREET 19 after 0.24 from [194.228.84.10]:46210: EHLO luleonlus.it\r\n
postfix/postscreen[15808]: PREGREET 23 after 1.9 from [59.31.90.206]:45659: EHLO livingproject.it\r\n

Notice how ALL of them are EHLO of "l*.it\r\n"?

I'm pretty sure that I don't have to care, and that postscreen is just doing its job blocking these.

But I'm dying of curiosity.

Anybody know what bot etc. is creating these?

I just never heard about any "l*.it" bot.

- K
Reply | Threaded
Open this post in threaded view
|

Re: What's with all the "l*.it" connections?

Bill Cole-3
On 19 Aug 2019, at 18:00, [hidden email] wrote:

> Hi
>
> Kinda OT - as long as I didn't screw something up!
>
> I'm just about ready to pull the trigger on moving our old Communigate
> mail system to a new, self-installed Postfix system.
>
> It's been running in test for just a coupled of users for a few weeks
> now and looks really good!
>
> I got postscreen set up out in front.  It's been doing its thing.  
> LOTS of bad connections rejected.
>
> I'm curious about one group though.  I see LOTS of these PREGREET
> rejections,
>
[snip]
>
> Notice how ALL of them are EHLO of "l*.it\r\n"?
>
> I'm pretty sure that I don't have to care, and that postscreen is just
> doing its job blocking these.

Correct.

> But I'm dying of curiosity.
>
> Anybody know what bot etc. is creating these?

StealRat? See https://www.abuseat.org/cmsvuln.html

> I just never heard about any "l*.it" bot.

Look up any of the miscreant IP's at the CBL site to get a long
explanation, e.g. https://www.abuseat.org/lookup.cgi?ip=1.212.181.131

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)