Menu
▾
▴
Re: [SSHGuard-users] sshguard-users Digest, Vol 94, Issue 4
|
From: Christos C. <ch...@cr...> - 2019-01-08 14:18:54
|
> > Hi Mario, > > Sure. Could you explain, or point me to some documentation, that > explains what that message means? > > From taking a cursory look, it looks like postfix got HELO/ELHO, did > not authenticate, and the client quit? > > We're also interested in avoiding false positives. Could a legitimate > client also generate that message? > > Regards, > Kevin > Dear Kevin, I check the daily logs on many servers for these entries and I see only IPs that look like spambots. I am not sure if a legitimate client can generate this message. To me it looks like a spambot tries to do SMTP authentication to check if a password is valid and maybe use later this account to send spam). I think it's better to ask to pos...@po... Some examples: server44: Jan 8 14:30:49 server44 postfix-smtp/smtpd[61979]: disconnect from static-233-10-25-46.ipcom.comunitel.net[46.25.10.233] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 15:07:22 server44 postfix-smtp/smtpd[2605]: disconnect from static-233-10-25-46.ipcom.comunitel.net[46.25.10.233] helo=1 auth=0/1 quit=1 commands=2/3 server53: Jan 8 12:32:29 server53 postfix-smtp/smtpd[63822]: disconnect from dslb-088-070-049-129.088.070.pools.vodafone-ip.de[88.70.49.129] helo=1 auth=0/1 quit=1 commands=2/3 server56: Jan 8 01:45:34 server56 postfix-smtp/smtpd[8747]: disconnect from unknown[78.131.87.207] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 10:47:04 server56 postfix-smtp/smtpd[52366]: disconnect from dslb-088-070-049-129.088.070.pools.vodafone-ip.de[88.70.49.129] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 11:25:06 server56 postfix-smtp/smtpd[53914]: disconnect from dslb-088-070-049-129.088.070.pools.vodafone-ip.de[88.70.49.129] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 13:20:36 server56 postfix-smtp/smtpd[9710]: disconnect from static-233-10-25-46.ipcom.comunitel.net[46.25.10.233] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 13:25:19 server56 postfix-smtp/smtpd[9710]: disconnect from static-233-10-25-46.ipcom.comunitel.net[46.25.10.233] helo=1 auth=0/1 quit=1 commands=2/3 server6: Jan 8 01:51:40 server6 postfix-smtp/smtpd[9237]: disconnect from unknown[191.209.21.224] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 14:13:13 server6 postfix-smtp/smtpd[13008]: disconnect from static-233-10-25-46.ipcom.comunitel.net[46.25.10.233] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 15:17:46 server6 postfix-smtp/smtpd[85471]: disconnect from unknown[41.79.233.43] helo=1 auth=0/1 quit=1 commands=2/3 Jan 8 15:34:36 server6 postfix-smtp/smtpd[16609]: disconnect from static-233-10-25-46.ipcom.comunitel.net[46.25.10.233] helo=1 auth=0/1 quit=1 commands=2/3 Kind regards, Christos Chatzaras |
