Yeah, California demise has got me: As reaction to my Attributor article, there was a lot of activity on my server. Not only by employees of that company, but also by some twit in the San Francisco area, who thought probing my POP3 server for accounts would be a terribly good idea. I am not clear about the motive though: Was it just some spammer in need for fresh addresses? Or was it rather somone with an axe to grind, who hoped I would use easy to guess email accounts with rather silly passwords?

first a part of the pop3 log as evidence:

Jan  6 12:47:30 my.pop3.server in.qpopper[26407]: Possible probe of
account access from host 207.213.142.74 (207.213.142.74) [pop_quit.c:29]
Jan  6 12:47:36 my.pop3.server in.qpopper[26412]: Possible probe of
account accounts from host 207.213.142.74 (207.213.142.74)
[pop_quit.c:29] Jan  6 12:47:39 my.pop3.server in.qpopper[26417]:
Possible probe of account adm from host 207.213.142.74 (207.213.142.74)
[pop_quit.c:29] Jan  6 12:47:44 my.pop3.server in.qpopper[26415]:
Possible probe of account account from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:47:49 my.pop3.server in.qpopper
[26430]: Possible probe of account admin from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:47:51 my.pop3.server in.qpopper
[26432]: Possible probe of account temp from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:47:58 my.pop3.server in.qpopper
[26441]: Possible probe of account admin2 from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:02 my.pop3.server in.qpopper
[26439]: Possible probe of account test from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:04 my.pop3.server in.qpopper
[26453]: Possible probe of account test2 from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:07 my.pop3.server in.qpopper
[26459]: Possible probe of account test3 from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:09 my.pop3.server in.qpopper
[26461]: Possible probe of account web from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:16 my.pop3.server in.qpopper
[26471]: Possible probe of account web2 from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:16 my.pop3.server in.qpopper
[26473]: Possible probe of account test1 from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:24 my.pop3.server in.qpopper
[26486]: Possible probe of account webmaster from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:25 my.pop3.server in.qpopper
[26476]: Possible probe of account web1 from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:48:30 my.pop3.server in.qpopper
[26484]: Possible probe of account webadmin from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:49:57 my.pop3.server in.qpopper
[26590]: Possible probe of account webmaster from host 207.213.142.74
(207.213.142.74) [pop_quit.c:29] Jan  6 12:54:19 my.pop3.server in.qpopper
[...]

In case you have been wondering what kind of email addresses are not really a brilliant idea to use, you have more or less an answer now :-). Contrary to an SMTP server, the POP3 server will, independent from the existence of an account, keep complaining about an invalid password. Therefore any probe here is not really suitable for collecting spammable email addresses. But maybe the focus was on getting one’s hands on emails that were meant for someone else? I leave that interpretation to those who received my complaint about 207.213.142.74, the company responsible for the network:

CustName:   IS West
Address:    268 Bush St.
Address:    Suite 5000
City:       San Francisco
StateProv:  CA
PostalCode: 94104
Country:    US
RegDate:    2002-03-26
Updated:    2004-11-05

NetRange:   207.213.142.0 - 207.213.143.255
CIDR:       207.213.142.0/23
NetName:    SBC207213142000020325
NetHandle:  NET-207-213-142-0-1
Parent:     NET-207-212-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2002-03-26
Updated:    2004-11-05

When I checked for 207.213.142.74 for any occurances in anti-spam blocklists, it turned out to be unknown to them. There were no new connection attempts since that probe, but to be on the safe side this range rests in my iptables ruleset for now.