Menu
▾
▴
Re: [SSHGuard-users] posfix - bots
|
From: Mario B <ma...@su...> - 2019-01-08 21:06:10
|
Hi, I agree that dynamic IP's can be filtered in postfix. But in that case we could also deny legit email from servers, which are not properly configured. I was able to recreate this type of connection, which spam bots do. They connect to server and send commands: * helo * auth * quit If the auth is not enabled, than they quit the session since they have nothing more to do. Can this happen to legit session? To tell you the truth, I don't know. Maybe someone from postfix mailing list would know. Regards, Mario Quoting li...@la...: > Those dynamic IP addresses can be filtered in postfix. I set this up so > long ago that I don't recall the details, but this is the relevant line > in postfix main.cf: > check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre > > Google digs up: > http://postfix.1071664.n5.nabble.com/New-approach-with-fqrdns-pcre-file-td90262.html > https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre > > If the original poster goes this route, I would suggest consulting the > postfix mailing list. > > > > > On Mon, 7 Jan 2019 23:24:54 -0600 > Kevin Zheng <kev...@gm...> wrote: > >> Hi Mario, >> >> Sure. Could you explain, or point me to some documentation, that >> explains what that message means? >> >> From taking a cursory look, it looks like postfix got HELO/ELHO, did >> not authenticate, and the client quit? >> >> We're also interested in avoiding false positives. Could a legitimate >> client also generate that message? >> >> Regards, >> Kevin >> >> On 1/3/19 2:12 AM, Mario B wrote: >> > >> > Hi, >> > >> > Would it be possible to block IP addresses from bots that are only >> > trying to connect and stop at the auth. >> > Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" >> > >> > >> > postfix log excerpt: >> > >> > Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from >> > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] >> > Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from >> > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] >> > Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] >> > Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from >> > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] >> > Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from >> > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from >> > 202077050129.static.ctinets.com[202.77.50.129] >> > Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from >> > 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from >> > 218.221.208.186.yukanet.com.br[186.208.221.218] >> > Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from >> > 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from >> > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] >> > Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from >> > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from >> > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] >> > Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from >> > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > >> > >> > >> > >> > Regards, >> > Mario >> > >> > >> > >> > _______________________________________________ >> > sshguard-users mailing list >> > ssh...@li... >> > https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> |
