- Message from Wietse Venema -
Date: Thu, 9 Sep 2021 18:58:21 -0400 (EDT)
From: Wietse Venema
Subject: Re: STARTTLS abuse
To: Jaroslaw Rafa
Cc: postfix-users@postfix.org
Jaroslaw Rafa:
I also don't have the summary part "ehlo=xxx starttls=xxx ..."
Jaroslaw Rafa:
> I also don't have the summary part "ehlo=xxx starttls=xxx ..." etc. in my
> disconnect message, the log line is just "disconnect from
> static.148.188.201.195.clients.your-server.de[195.201.188.148]".
The commands=x/y counts were added in Postfix 3.0, released in 2015.
They may
On 2021-09-09 at 15:21:02 UTC-0400 (Thu, 9 Sep 2021 15:21:02 -0400)
J Doe
is rumored to have said:
[...]
Hi,
In this case, is the botnet actually trying credentials ? It looks to
me that it is establishing a TLS connection and then dropping it (or
am I mistaken ?).
Note this log line
On Thu, Sep 09, 2021 at 03:21:02PM -0400, J Doe wrote:
> >> Sep 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from
> >> unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
> >
> > That's AUTH probing. A bot on 77.247.110.240 has a big list of usernames
> > and password and
On 9/9/2021 2:21 PM, J Doe wrote:
Sep 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from
unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
In this case, is the botnet actually trying credentials ? It looks
to me that it is establishing a TLS connection and then
On 2021-09-07 7:11 p.m., Bill Cole wrote:
On 2021-09-07 at 14:42:33 UTC-0400 (Tue, 7 Sep 2021 19:42:33 +0100)
Adam Weremczuk
is rumored to have said:
Hi all,
It's postfix 3.1.6-0+deb9u1 on Debian 9.
Since enabling STARTTLS on port 25 I'm getting lots of traffic looking
like this (relay
On 2021-09-07 at 14:42:33 UTC-0400 (Tue, 7 Sep 2021 19:42:33 +0100)
Adam Weremczuk
is rumored to have said:
Hi all,
It's postfix 3.1.6-0+deb9u1 on Debian 9.
Since enabling STARTTLS on port 25 I'm getting lots of traffic looking
like this (relay attempts?):
This does not actually have
On Tue, Sep 07, 2021 at 02:50:09PM -0400, Viktor Dukhovni wrote:
> inetnum:77.247.110.0 - 77.247.110.255
> netname:PEENQ-NL-TLN-VPS-01
> country:NL
> geoloc: 52.370216 4.895168
> admin-c:PA10298-RIPE
> tech-c: PA10298-RIPE
>
On Tue, Sep 07, 2021 at 07:42:33PM +0100, Adam Weremczuk wrote:
> It's postfix 3.1.6-0+deb9u1 on Debian 9.
>
> Since enabling STARTTLS on port 25 I'm getting lots of traffic looking
> like this (relay attempts?):
>
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: connect from
>
Adam Weremczuk:
> Sep? 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from
> unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
Use "auth=0/" as a pattern for fail2ban.
Wietse
Hi all,
It's postfix 3.1.6-0+deb9u1 on Debian 9.
Since enabling STARTTLS on port 25 I'm getting lots of traffic looking
like this (relay attempts?):
Sep 6 09:17:42 localhost postfix/smtpd[14622]: connect from
unknown[77.247.110.240]
Sep 6 09:17:42 localhost postfix/smtpd[14622]: setting
11 matches
Mail list logo
