On Sun Mar 20 2016 12:23:00 /dev/rob0 <[email protected]> said: > > On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote: >> I have many thousands of these over the last seven days: >> >> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: >> unknown[185.103.253.246]: SASL LOGIN authentication failed: >> UGFzc3dvcmQ6 >> >> They are all the exact same, including the UGF… portion. >> >> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from >> [185.103.253.246]:61153 to [65.121.55.45]:25 >> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD >> [185.103.253.246]:61153 >> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from >> unknown[185.103.253.246] >> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: >> unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 >> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from >> unknown[185.103.253.246] >> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from >> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 > > One minor comment: I would not even offer AUTH on port 25.
I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail submission have to be on port 587. >> I mean, nothing is getting in, but there are thousands of these, >> 2000 yesterday, and today there are over 3400 so far, and it’s >> barely even noon. The first day there were 700, and it’s just >> ramped up since then. >> >> /etc/hosts.allow: >> ALL : 185.103.253.246 : DENY >> >> Has no effect. > > I'd suggest either blocking it in the firewall or adding to > postscreen_access_list ( postconf.5.html#postscreen_access_list ). Oh, yes, I completely forgot about that. postscreen_access_cidr 185.103.253.246 reject $ postmap -q 185.103.253.246 cidr:/usr/local/etc/postfix/postscreen_access.cidr reject But they still keep coming. $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1 Sun Mar 20 12:43:33 MDT 2016 Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 -- Don't ride in anything with a Capissen-38 engine, they fall right out of the sky
