> On 26 February 2020, at 02:54, Jaroslaw Rafa <r...@rafa.eu.org> wrote: > > My Postfix log is full of repeated connections and disconnections from the > same machine: > > Feb 26 11:43:41 rafa postfix/submission/smtpd[13829]: connect from > unknown[92.118.38.42] > Feb 26 11:43:52 rafa postfix/submission/smtpd[13829]: disconnect from > unknown[92.118.38.42] > Feb 26 11:44:04 rafa postfix/submission/smtpd[13829]: warning: hostname > ip-38-42.ZervDNS does not resolve to address 92.118.38.42: Name or service > not known > > This repeats over and over (I already blocked this IP on firewall). I wonder > what this attacker(?) is trying to do - the client doesn't attempt AUTH or > anything (it would be logged). It just connects and disconnects. And so on > and on...
One of my mail servers showed the same thing. Tcpdump showed they are sending SYN after SYN, nothing else. You didn't indicate which firewall you are using, but when I went to block them with pf I found that they send often enough that pf's state stays active. I had to manually remove that state entry to stop the logging. That won't stop their sending the SYNs though. It almost appears to be a really poor attempt at a denial of service. I did find 2 other sites sending the same thing. -- Doug
