• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Blacklist Emails

Status
Not open for further replies.

craigreilly

Free User
Joined
Feb 1, 2012
Messages
4,134
Reaction score
577
Just received this same exact message 262 times - except some say 3 sec and some say 4 sec. Its still going. HELP! Latest update is installed v11. Why aren't these getting added for 1200 seconds? And, I have put these into the Blacklist with an expriation date of 31-DEC-2033 yet they keep coming. Maybe the email server has them all queud up...

(0) AAVC-PHONE 3/20/2013 3:40:07 PM

Event source: 3CXPhoneSystem

The IP 87.239.186.97 has been blacklisted for 2 sec. Reason: requests rate is too high!
 
I had 3 different custom systems do the same thing as well today. I received between 50-150 emails saying a IP had been blacklisted for 3 seconds from each system.
 
(0) 3CX 3/20/2013 5:12:23 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
(0) 3CX 3/20/2013 5:12:19 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
(0) 3CX 3/20/2013 5:12:15 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
(0) 3CX 3/20/2013 5:12:11 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
(0) 3CX 3/20/2013 5:12:06 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 4 sec. Reason: requests rate is too high!
(0) 3CX 3/20/2013 5:12:01 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 4 sec. Reason: requests rate is too high!
(0) 3CX 3/20/2013 5:11:56 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 4 sec. Reason: requests rate is too high!
(0) 3CX 3/20/2013 5:11:52 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!

They go on and on and on for a few minutes.
I tried the same thing of adding the IP to the blacklist and it doesn't stop. Not sure what made it stop but it did after a few minutes stop on the 3 different systems i had it happen on.
 
Well what the heck - I finally turned off notifications...
I don't even see the traffic in my Watchguard... But I see it in Wireshark.

many liek this
INVITE sip:[email protected] where the IP is any of my Public IP Addresses - Report Server, Time Clocks, Mail, Intranet, Citrix...

Todays hacking IP's (now 0's because I added them manually)
75.126.153.0
87.239.186.0
69.162.72.0
69.162.96.0
85.25.108.0
 
I wonder if there is some IP table out there for what subnets are from what countries.
Id surely have no problem blocking all foreign subnets from 3CX system and only allowing USA IPs to connect.
For me it seems like 95% of the IPs that try to connect to the system are foreign based.
 
no more issues since 4:30 yesterday... keeping my fingers crossed.
I did go in and changed the anti-hacking settings and changed back so they would be re-saved in the system. not sure it helped... but figured it was worth a try.
 
Well, I must say that today my own home 3CX installation did this too... I am investigating the issue.
 
I've had the same IP show up on 2013/03/22

The IP 87.239.186.97 has been blacklisted for 2 sec. Reason: requests rate is too high!

But, as with others, I only get one of the "requests rate too high" before I get one of these, usually a minute or so later.

The IP 87.239.186.97 has been blacklisted for 250000 sec. Reason: Too many failed authentications!

I will "permanently" block an IP range if they show up more than once.
 
Leejor, same IP. Now I am concerned...

I have 3 IPS doing this for 2 days, let's all post them here to find a pattern or common denominator. All seem to be grow Europe and one has a weak root PW on centos.
 
Leejor, same IP. Now I am concerned...

I have 3 IPS doing this for 2 days, let's all post them here to find a pattern or common denominator. All seem to be grow Europe and one has a weak root PW on centos.

Today 85.17.0.138

Lucky for me this jackass is using fqdn to reach this server and since the DNS record is only 30 seconds... no cache, I am returning the favor by providing him back my fqdn using his IP... he is hacking himself .... lol
 
any fix for this? I have one IP that keeps emailing every 3 seconds. I have a couple hundred emails right now. tried to block it, no good.

IP = 205.209.98.206

thanks,

Buddy Farr
 
I have not seen this behavior since I posted this 14 months ago. I am now on v12 SP5.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.