A friend and I experienced this in October last year.

I believe these SYNs have forged source addresses.  The objectives being one or 
more of:
- a DOS attack on the legit owner of the IP,
- create a state table size issue for you,
- to have you block legitimate sources.   
The last of these certainly happened here.
 
I set up a fail2ban rule to pick these up and, after one day,
nearly 9,500 sources had been blocked at the firewall.  
However, the pf table included addresses that belonged to the likes of 
MessageLabs. 
I dropped the rule and unbanned them after realizing that.

Better not to block them and live with the log spam.

I should mention that my pf firewall is a separate system in front of my postfix
server and postfix never saw any of these bogus connections.  
Eventually, I also turned off logging of TCP/25 connections at the firewall.   

Phil    


Wednesday, February 26, 2020, 9:54:31 PM, you wrote:

> My Postfix log is full of repeated connections and disconnections from the
> same machine:

> Feb 26 11:43:41 rafa postfix/submission/smtpd[13829]: connect from 
> unknown[92.118.38.42]
> Feb 26 11:43:52 rafa postfix/submission/smtpd[13829]: disconnect from 
> unknown[92.118.38.42]
> Feb 26 11:44:04 rafa postfix/submission/smtpd[13829]: warning: hostname 
> ip-38-42.ZervDNS does not resolve to address 92.118.38.42: Name or service 
> not known

> This repeats over and over (I already blocked this IP on firewall). I wonder
> what this attacker(?) is trying to do - the client doesn't attempt AUTH or
> anything (it would be logged). It just connects and disconnects. And so on
> and on...



-- 
Best regards,
Phil Biggs

Reply via email to