STARTTLS abuse

Tue, 07 Sep 2021 11:43:15 -0700 

Hi all,

It's postfix 3.1.6-0+deb9u1 on Debian 9.
Since enabling STARTTLS on port 25 I'm getting lots of traffic looking like this (relay attempts?):
Sep  6 09:17:42 localhost postfix/smtpd[14622]: connect from unknown[77.247.110.240] Sep  6 09:17:42 localhost postfix/smtpd[14622]: setting up TLS connection from unknown[77.247.110.240] Sep  6 09:17:42 localhost postfix/smtpd[14622]: unknown[77.247.110.240]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Sep  6 09:17:42 localhost postfix/smtpd[14622]: unknown[77.247.110.240]: Issuing session ticket, key expiration: 1630916885 Sep  6 09:17:42 localhost postfix/smtpd[14622]: Anonymous TLS connection established from unknown[77.247.110.240]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Sep  6 09:17:42 localhost postfix/smtpd[14622]: lost connection after AUTH from unknown[77.247.110.240] Sep  6 09:17:42 localhost postfix/smtpd[14622]: disconnect from unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4 Sep  6 09:17:42 localhost postfix/smtpd[14592]: connect from unknown[77.247.110.240] Sep  6 09:17:42 localhost postfix/smtpd[14592]: setting up TLS connection from unknown[77.247.110.240] Sep  6 09:17:42 localhost postfix/smtpd[14592]: unknown[77.247.110.240]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" 

grep 77.247.110.240 /var/log/mail.log | wc -l
16735
It's a different IP(s) every day so banning them manually is not going to work well.
I've tried fail2ban but the postfix and postfix-rbl jails seem to be based on sever error codes which are not produced here e.g: 

cat /etc/fail2ban/filter.d/postfix.conf
# Fail2Ban filter for selected Postfix SMTP rejections
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$             ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;             ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$             ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$ 

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Cyril Jaquier

Any idea how to effectively ban these abusers?

Thanks,
Adam

Reply via email to