Captain PilotMar 8
Jan Wildeboer 😷

Observation: with the beginning of the war against Iran, botnets more or less stopped attacking my mailserver. From typically 300–500 IP addresses per day it's now less than 5 since a week. Indicates that maybe quite some C&C (Command and Control) servers were operating from Iranian IP addresses and fell victim to the internet shutdown there.

#SysAdminLife @homelab

Mar 8 at 7:37amWeb
Show threadJan Wildeboer 😷Mar 8
@homelab The attacking IP addresses were always from many countries, with a bit of clustering in the US, China and indo-pacific countries. These botnets mostly use malware infected domestic devices. They do get their targets from the C&C servers and these seem to have gone quiet.
Show threadJan Wildeboer 😷Mar 11
It is now day 5 with zero SASL login attempts on my mailserver after 3 years of at least 150 IP addresse/day. I am not complaining :) @homelab
Show threadErikMar 11
@jwildeboer @homelab Over here it was very quite the last ~week, but since early morning GMT SASL login attempts started again.
Show threadHellaMar 8
@jwildeboer @homelab
Another possibility: They now have more specific targets which are not your servers?
Show threadJan Wildeboer 😷Mar 8
@unixwitch Sure, also possible. The attacks have been ongoing for more than 3 years. The timing of them giving up on my machine may be coincidence. I share my observation in the hope that other people maybe confirm similar things in their logs. @homelab
Show threadPhil Ashby  🍵Mar 8
@jwildeboer @unixwitch @homelab Not much change for me (running a similar arrangement as Jan), still seeing anywhere from 100-600 IP blocks daily, which has been 'normal' for a couple of years
Show threadThoralf Will 🇺🇦🇮🇱🇹🇼Mar 8
@jwildeboer @homelab oh, that’s interesting.
Any idea why?
Show threadMoritz KobelMar 8
@jwildeboer @homelab Or they have been reassigned to other tasks
Show threadGiacomo TesioMar 8
@[email protected]

more likely, they have been directed against military targets.

@[email protected]
Show threadorvaMar 8
@jwildeboer @homelab Has there been previous lulls in the attacks? At least some graphs which have been floating around here indicated that Iran has been plugging the country out of internet quite a few times lately because of the protests.
Show threadJoy_intlMar 8
@jwildeboer @homelab I wonder if the AWS data centers being blown up in UAE & Bahrain might impact those types of operations 🤔
Show threadLambert HellerMar 8
@Joy_intl @jwildeboer @homelab Yes! Exactly my thoughts when I saw Jan's toot. Reminded me instantly of https://www.theguardian.com/world/2026/mar/07/it-means-missile-defence-on-data-centres-drone-strikes-raises-doubts-over-gulf-as-ai-superpower
‘It means missile defence on datacentres’: drone strikes raise doubts over Gulf as AI superpower

Iran’s targeting of commercial datacentres in the UAE and Bahrain signals a new frontier in asymmetric warfare

The Guardian
Show threadJoy_intlMar 8
@Lambo Thank you for this