Blacklist Emails

Discussion in '3CX Phone System - General' started by craigreilly, Mar 20, 2013.

Thread Status:
Not open for further replies.
  1. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    2,977
    Likes Received:
    183
    Just received this same exact message 262 times - except some say 3 sec and some say 4 sec. Its still going. HELP! Latest update is installed v11. Why aren't these getting added for 1200 seconds? And, I have put these into the Blacklist with an expriation date of 31-DEC-2033 yet they keep coming. Maybe the email server has them all queud up...

    (0) AAVC-PHONE 3/20/2013 3:40:07 PM

    Event source: 3CXPhoneSystem

    The IP 87.239.186.97 has been blacklisted for 2 sec. Reason: requests rate is too high!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. tsukraw

    tsukraw New Member

    Joined:
    Mar 9, 2012
    Messages:
    190
    Likes Received:
    6
    I had 3 different custom systems do the same thing as well today. I received between 50-150 emails saying a IP had been blacklisted for 3 seconds from each system.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. tsukraw

    tsukraw New Member

    Joined:
    Mar 9, 2012
    Messages:
    190
    Likes Received:
    6
    (0) 3CX 3/20/2013 5:12:23 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
    (0) 3CX 3/20/2013 5:12:19 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
    (0) 3CX 3/20/2013 5:12:15 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
    (0) 3CX 3/20/2013 5:12:11 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!
    (0) 3CX 3/20/2013 5:12:06 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 4 sec. Reason: requests rate is too high!
    (0) 3CX 3/20/2013 5:12:01 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 4 sec. Reason: requests rate is too high!
    (0) 3CX 3/20/2013 5:11:56 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 4 sec. Reason: requests rate is too high!
    (0) 3CX 3/20/2013 5:11:52 PM Event source: 3CXPhoneSystem The IP 64.31.10.186 has been blacklisted for 3 sec. Reason: requests rate is too high!

    They go on and on and on for a few minutes.
    I tried the same thing of adding the IP to the blacklist and it doesn't stop. Not sure what made it stop but it did after a few minutes stop on the 3 different systems i had it happen on.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    2,977
    Likes Received:
    183
    Well what the heck - I finally turned off notifications...
    I don't even see the traffic in my Watchguard... But I see it in Wireshark.

    many liek this
    INVITE sip:018441212791970@66.xxx.xxx.xxx where the IP is any of my Public IP Addresses - Report Server, Time Clocks, Mail, Intranet, Citrix...

    Todays hacking IP's (now 0's because I added them manually)
    75.126.153.0
    87.239.186.0
    69.162.72.0
    69.162.96.0
    85.25.108.0
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. tsukraw

    tsukraw New Member

    Joined:
    Mar 9, 2012
    Messages:
    190
    Likes Received:
    6
    I wonder if there is some IP table out there for what subnets are from what countries.
    Id surely have no problem blocking all foreign subnets from 3CX system and only allowing USA IPs to connect.
    For me it seems like 95% of the IPs that try to connect to the system are foreign based.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    2,977
    Likes Received:
    183
    no more issues since 4:30 yesterday... keeping my fingers crossed.
    I did go in and changed the anti-hacking settings and changed back so they would be re-saved in the system. not sure it helped... but figured it was worth a try.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Well, I must say that today my own home 3CX installation did this too... I am investigating the issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,368
    Likes Received:
    229
    I've had the same IP show up on 2013/03/22

    The IP 87.239.186.97 has been blacklisted for 2 sec. Reason: requests rate is too high!

    But, as with others, I only get one of the "requests rate too high" before I get one of these, usually a minute or so later.

    The IP 87.239.186.97 has been blacklisted for 250000 sec. Reason: Too many failed authentications!

    I will "permanently" block an IP range if they show up more than once.
     
  9. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Leejor, same IP. Now I am concerned...

    I have 3 IPS doing this for 2 days, let's all post them here to find a pattern or common denominator. All seem to be grow Europe and one has a weak root PW on centos.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    Leejor, same IP. Now I am concerned...

    I have 3 IPS doing this for 2 days, let's all post them here to find a pattern or common denominator. All seem to be grow Europe and one has a weak root PW on centos.

    Today 85.17.0.138

    Lucky for me this jackass is using fqdn to reach this server and since the DNS record is only 30 seconds... no cache, I am returning the favor by providing him back my fqdn using his IP... he is hacking himself .... lol
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. buddyfarr

    Joined:
    May 5, 2014
    Messages:
    2
    Likes Received:
    0
    any fix for this? I have one IP that keeps emailing every 3 seconds. I have a couple hundred emails right now. tried to block it, no good.

    IP = 205.209.98.206

    thanks,

    Buddy Farr
     
  12. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    2,977
    Likes Received:
    183
    I have not seen this behavior since I posted this 14 months ago. I am now on v12 SP5.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.