On Thu, Dec 21, 2023 at 02:17:34PM -0500, Wietse Venema via Postfix-users wrote:
> Kim Sindalsen via Postfix-users: > > I'm reading that either " smtpd_data_restrictions = > > reject_unauth_pipelining" or "smtpd_forbid_unauth_pipelining = yes" should > > *work* for shor-term workaround, right? > > They look for the same thing but at different times. > > > I've had data-restrictions for years, just today added forbid_unauth for > > good meassure. > > > > Looking through logs I see: > > A lot of crap on the Internet, thanks for confirming that! Indeed, many instances of "improper command pipelining after CONNECT" in my logs, some early talkers, but mostly HTTP or TLS Client Hello. This even includes "shodan" looking for implicit TLS on port 25 for no good reason: improper command pipelining after CONNECT from burger.census.shodan.io[66.240.219.146]: \026\003\001\000j... But, on December 6th, my logs have a somewhat more interesting example, with 14 instances of: connect from unknown[14.116.39.58] NOQUEUE: reject: RCPT from unknown[14.116.39.58]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [14.116.39.58]; from=<vvw...@imrryr.org> to=<huojh2...@gmail.com> proto=ESMTP helo=<huo> NOQUEUE: reject: RCPT from unknown[14.116.39.58]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [14.116.39.58]; from=<g...@imrryr.org> to=<huojh2...@gmail.com> proto=ESMTP helo=<huo> NOQUEUE: reject: RCPT from unknown[14.116.39.58]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [14.116.39.58]; from=<qq...@imrryr.org> to=<huojh2...@gmail.com> proto=ESMTP helo=<huo> NOQUEUE: reject: RCPT from unknown[14.116.39.58]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [14.116.39.58]; from=<a...@imrryr.org> to=<huojh2...@gmail.com> proto=ESMTP helo=<huo> NOQUEUE: reject: RCPT from unknown[14.116.39.58]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [14.116.39.58]; from=<pp...@imrryr.org> to=<huojh2...@gmail.com> proto=ESMTP helo=<huo> NOQUEUE: reject: RCPT from unknown[14.116.39.58]: 550 5.7.1 Client host rejected: cannot find your reverse hostname, [14.116.39.58]; from=<uuu...@imrryr.org> to=<huojh2...@gmail.com> proto=ESMTP helo=<huo> improper command pipelining after DATA from unknown[14.116.39.58]: RSET\r\nMAIL FROM:<nn...@imrryr.org>\r\nRCPT TO:<huojh2...@gmail.com> \r\nDATA\r\nRSET\r\nMAIL FROM:<gghh@imrry disconnect from unknown[14.116.39.58] ehlo=1 mail=6 rcpt=0/6 data=0/6 rset=6 commands=13/25 Each one with 7 attempted transactions, in which the 7th arrives back-to-back with the sixth. This particular dictionary attack "probe" sends "DATA", but never intends to actually send a message body. If one of the recipients succeeds, the rest of the attempts would be message payload... -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org