On Thu, Dec 21, 2023 at 02:17:34PM -0500, Wietse Venema via Postfix-users wrote:

> Kim Sindalsen via Postfix-users:
> > I'm reading that either " smtpd_data_restrictions =
> > reject_unauth_pipelining" or "smtpd_forbid_unauth_pipelining = yes" should
> > *work* for shor-term workaround, right?
> 
> They look for the same thing but at different times.
> 
> > I've had data-restrictions for years, just today added forbid_unauth for
> > good meassure.
> > 
> > Looking through logs I see:
> 
> A lot of crap on the Internet, thanks for confirming that!

Indeed, many instances of "improper command pipelining after CONNECT" in
my logs, some early talkers, but mostly HTTP or TLS Client Hello.
This even includes "shodan" looking for implicit TLS on port 25 for no
good reason:

    improper command pipelining after CONNECT
        from burger.census.shodan.io[66.240.219.146]: \026\003\001\000j...

But, on December 6th, my logs have a somewhat more interesting
example, with 14 instances of:

    connect from unknown[14.116.39.58]
    NOQUEUE: reject: RCPT from unknown[14.116.39.58]:
        550 5.7.1 Client host rejected: cannot find your reverse hostname,
        [14.116.39.58]; from=<vvw...@imrryr.org> to=<huojh2...@gmail.com>
        proto=ESMTP helo=<huo>
    NOQUEUE: reject: RCPT from unknown[14.116.39.58]:
        550 5.7.1 Client host rejected: cannot find your reverse hostname,
        [14.116.39.58]; from=<g...@imrryr.org> to=<huojh2...@gmail.com>
        proto=ESMTP helo=<huo>
    NOQUEUE: reject: RCPT from unknown[14.116.39.58]:
        550 5.7.1 Client host rejected: cannot find your reverse hostname,
        [14.116.39.58]; from=<qq...@imrryr.org> to=<huojh2...@gmail.com>
        proto=ESMTP helo=<huo>
    NOQUEUE: reject: RCPT from unknown[14.116.39.58]:
        550 5.7.1 Client host rejected: cannot find your reverse hostname,
        [14.116.39.58]; from=<a...@imrryr.org> to=<huojh2...@gmail.com>
        proto=ESMTP helo=<huo>
    NOQUEUE: reject: RCPT from unknown[14.116.39.58]:
        550 5.7.1 Client host rejected: cannot find your reverse hostname,
        [14.116.39.58]; from=<pp...@imrryr.org> to=<huojh2...@gmail.com>
        proto=ESMTP helo=<huo>
    NOQUEUE: reject: RCPT from unknown[14.116.39.58]:
        550 5.7.1 Client host rejected: cannot find your reverse hostname,
        [14.116.39.58]; from=<uuu...@imrryr.org> to=<huojh2...@gmail.com>
        proto=ESMTP helo=<huo>
    improper command pipelining after DATA from unknown[14.116.39.58]:
        RSET\r\nMAIL FROM:<nn...@imrryr.org>\r\nRCPT TO:<huojh2...@gmail.com>
        \r\nDATA\r\nRSET\r\nMAIL FROM:<gghh@imrry
    disconnect from unknown[14.116.39.58] ehlo=1 mail=6 rcpt=0/6 data=0/6 
rset=6 commands=13/25

Each one with 7 attempted transactions, in which the 7th arrives
back-to-back with the sixth.  This particular dictionary attack "probe"
sends "DATA", but never intends to actually send a message body.  If one
of the recipients succeeds, the rest of the attempts would be message
payload...

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to