On 27.02.20 08:09, Phil Biggs wrote:
A friend and I experienced this in October last year.
I believe these SYNs have forged source addresses. The objectives being one or
more of:
- a DOS attack on the legit owner of the IP,
- create a state table size issue for you,
- to have you block legitimate sources.
The last of these certainly happened here.
per my last e-mail...
https://marc.info/?l=postfix-users&m=158272022625515&w=2
SYN with forged address can not cause this kind of error. This error
requires connection be made (until then postfix does not know about it) and
then closed. Thus it requires SYN - SYN+ACK - ACK which does not work with
forged address.
I set up a fail2ban rule to pick these up and, after one day,
nearly 9,500 sources had been blocked at the firewall.
However, the pf table included addresses that belonged to the likes of
MessageLabs.
I dropped the rule and unbanned them after realizing that.
It's more likely that messagelabs scan the internet for open relays,
mailservers features to gather statistics about the internet.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
