Hello, I am parsing mail logs, and banning offending IP addresses. Mostly I match patterns such as:
too many errors after .* from .* warning: non-SMTP command from .* reject: RCPT from .* Recipient address rejected: User unknown in local recipient table; .*' I think it is safe to block IP based on above examples. These erros clearly indicate evil intent. I also see many errors such as: lost connection after STARTTLS is it safe to block this command as well, or can this happen to a legitimate client? In other words, in what situation would a legitimate clien generate "lost connection after STARTTLS" ? thanks,
