On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote: > I have many thousands of these over the last seven days: > > Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: > unknown[185.103.253.246]: SASL LOGIN authentication failed: > UGFzc3dvcmQ6 > > They are all the exact same, including the UGF… portion. > > Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from > [185.103.253.246]:61153 to [65.121.55.45]:25 > Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD > [185.103.253.246]:61153 > Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from > unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
One minor comment: I would not even offer AUTH on port 25. > I mean, nothing is getting in, but there are thousands of these, > 2000 yesterday, and today there are over 3400 so far, and it’s > barely even noon. The first day there were 700, and it’s just > ramped up since then. > > /etc/hosts.allow: > ALL : 185.103.253.246 : DENY > > Has no effect. I'd suggest either blocking it in the firewall or adding to postscreen_access_list ( postconf.5.html#postscreen_access_list ). -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: