Recently, I've noticed a lot of repeated connections, like this: Jul 29 20:26:06 rollo postfix/smtpd[21285]: connect from unknown[175.101.8.162] Jul 29 20:26:09 rollo postfix/smtpd[21285]: lost connection after UNKNOWN from unknown[175.101.8.162] Jul 29 20:26:09 rollo postfix/smtpd[21285]: disconnect from unknown[175.101.8.162]
Sometimes I manage to catch the spambot in the act, and set up tshark to dump the traffic: 44.048894 5.9.72.151 -> 175.101.8.162 SMTP 102 S: 220 smtp.jernurt.dk ESMTP Postfix (Debian/GNU) 44.636765 175.101.8.162 -> 5.9.72.151 SMTP 65 C: EHLO USER 44.636789 5.9.72.151 -> 175.101.8.162 TCP 54 smtp > 53818 [ACK] Seq=49 Ack=12 Win=14720 Len=0 44.636893 5.9.72.151 -> 175.101.8.162 SMTP 192 S: 250-smtp.jernurt.dk | 250-PIPELINING | 250-SIZE 10240000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN 45.293030 175.101.8.162 -> 5.9.72.151 SMTP 66 C: AUTH LOGIN 45.293114 5.9.72.151 -> 175.101.8.162 SMTP 99 S: 503 5.5.1 Error: authentication not enabled 45.906139 175.101.8.162 -> 5.9.72.151 SMTP 76 C: YmxvZy53ZWdnZS5kaw== 45.906224 5.9.72.151 -> 175.101.8.162 SMTP 95 S: 502 5.5.2 Error: command not recognized 46.535497 175.101.8.162 -> 5.9.72.151 SMTP 68 C: c2VydmljZQ== 46.535579 5.9.72.151 -> 175.101.8.162 SMTP 95 S: 502 5.5.2 Error: command not recognized I hope this will be readable, even for people not familiar with tshark output. My analysis is that the remote system is making a dictionary attack, to try and see if it's possible to relay mail through my server that way. Unfortunately (for the spammer), postfix is configured with smtpd_tls_auth_only = yes, so the connection is rejected. However, mail.info can grow rather large, so I would like to have a sure-fire trigger in the log, that I can use to put an iptable block in place with fail2ban. So my question is: Is it possible to get a log entry for remote systems that tries do AUTH without having issued STARTTLS first? -- //Wegge -- //Wegge
