Loading ...
Sorry, an error occurred while loading the content.

Re: large amounts of disconnects

Expand Messages
  • Michael Wang
    ... Do you have reject_invalid_helo_hostname or reject_invalid_hostname somewhere in your main.cf file? -- Michael Wang
    Message 1 of 10 , Jan 1, 2007
    • 0 Attachment
      Roman Novak - roman.novak@... wrote:
      > Hello.
      >
      > In last 2 weeks i am noticing enormous amounts of strange connections
      > to mail server from all over the world. An example from logs:
      >
      > Jan 1 13:09:03 mercury postfix/smtpd[22974]: connect from
      > 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
      > Jan 1 13:09:03 mercury postfix/smtpd[22974]: lost connection after EHLO
      > from 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
      > Jan 1 13:09:03 mercury postfix/smtpd[22974]: disconnect from
      > 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
      >
      >
      > Transcript of session follows.
      >
      > Out: 220 mercury.mydomain.net ESMTP something
      > In: EHLO
      > Out: 501 Syntax: EHLO hostname
      >
      > Session aborted, reason: lost connection

      Do you have reject_invalid_helo_hostname or reject_invalid_hostname
      somewhere in your main.cf file?


      --
      Michael Wang
    • Roman Novak - roman.novak@iskrasistemi.si
      ... No, i don t have these parameters in main.cf Roman
      Message 2 of 10 , Jan 1, 2007
      • 0 Attachment
        Michael Wang wrote:
        > Roman Novak wrote:
        >> Hello.
        >>
        >> In last 2 weeks i am noticing enormous amounts of strange
        >> connections to mail server from all over the world. An example from
        >> logs:
        >>
        >> Jan 1 13:09:03 mercury postfix/smtpd[22974]: connect from
        >> 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
        >> Jan 1 13:09:03 mercury postfix/smtpd[22974]: lost connection after
        >> EHLO from 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
        >> Jan 1 13:09:03 mercury postfix/smtpd[22974]: disconnect from
        >> 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
        >>
        >>
        >> Transcript of session follows.
        >>
        >> Out: 220 mercury.mydomain.net ESMTP something
        >> In: EHLO
        >> Out: 501 Syntax: EHLO hostname
        >>
        >> Session aborted, reason: lost connection
        >
        > Do you have reject_invalid_helo_hostname or reject_invalid_hostname
        > somewhere in your main.cf file?

        No, i don't have these parameters in main.cf

        Roman
      • Roman Novak - roman.novak@iskrasistemi.si
        ... [root@mercury ~]# postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases bounce_queue_lifetime = 4h
        Message 3 of 10 , Jan 1, 2007
        • 0 Attachment
          Michael Wang wrote:
          > Roman Novak - roman.novak@... wrote:
          >> Michael Wang wrote:
          >>> Roman Novak wrote:
          >>>> Transcript of session follows.
          >>>>
          >>>> Out: 220 mercury.mydomain.net ESMTP something
          >>>> In: EHLO
          >>>> Out: 501 Syntax: EHLO hostname
          >>>>
          >>>> Session aborted, reason: lost connection
          >>>
          >>> Do you have reject_invalid_helo_hostname or reject_invalid_hostname
          >>> somewhere in your main.cf file?
          >>
          >> No, i don't have these parameters in main.cf
          >
          > Show us your postconf -n output.
          >

          [root@mercury ~]# postconf -n

          alias_database = hash:/etc/postfix/aliases
          alias_maps = hash:/etc/postfix/aliases
          bounce_queue_lifetime = 4h
          command_directory = /usr/sbin
          config_directory = /etc/postfix
          content_filter = smtp-amavis:[127.0.0.1]:10024
          daemon_directory = /usr/libexec/postfix
          debug_peer_level = 2
          default_destination_concurrency_limit = 10
          html_directory = no
          inet_interfaces = all
          local_destination_concurrency_limit = 2
          mail_owner = postfix
          mail_spool_directory = /var/spool/mail
          mailbox_size_limit = 0
          mailq_path = /usr/bin/mailq.postfix
          manpage_directory = /usr/share/man
          maximal_queue_lifetime = 4h
          message_size_limit = 31457280
          mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
          www.$mydomain
          mydomain = mydomain.net
          myhostname = mercury.mydomain.net
          mynetworks = 127.0.0.1, 127.0.0.0/8, 172.2.0.0/16,
          newaliases_path = /usr/bin/newaliases.postfix
          notify_classes = delay, protocol, resource, software
          queue_directory = /var/spool/postfix
          readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
          relay_domains = $mydestination, $mynetworks
          sample_directory = /usr/share/doc/postfix-2.2.10/samples
          sender_canonical_maps = hash:/etc/postfix/sender_canonical
          sendmail_path = /usr/sbin/sendmail.postfix
          setgid_group = postdrop
          smtpd_banner = $myhostname ESMTP something
          smtpd_recipient_restrictions =
          permit_mynetworks,reject_non_fqdn_recipient, reject_rbl_client
          relays.ordb.org, reject_rbl_client sbl-xbl.spamhaus.org,
          reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client
          web.dnsbl.sorbs.net, reject_rbl_client zombie.dnsbl.sorbs.net,
          check_client_access hash:/etc/postfix/pop-before-smtp,
          reject_unauth_destination
          unknown_local_recipient_reject_code = 550
        • Tony Earnshaw
          ... Not the volume you describe, but we do get that occasionally. We turn away (refuse subnets) 3-400 bots a day. We analyzed the OSes on the machines
          Message 4 of 10 , Jan 1, 2007
          • 0 Attachment
            Roman Novak - roman.novak@... wrote:

            > In last 2 weeks i am noticing enormous amounts of strange connections
            > to mail server from all over the world. An example from logs:
            >
            > Jan 1 13:09:03 mercury postfix/smtpd[22974]: connect from
            > 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
            > Jan 1 13:09:03 mercury postfix/smtpd[22974]: lost connection after EHLO
            > from 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
            > Jan 1 13:09:03 mercury postfix/smtpd[22974]: disconnect from
            > 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
            >
            >
            > Transcript of session follows.
            >
            > Out: 220 mercury.mydomain.net ESMTP something
            > In: EHLO
            > Out: 501 Syntax: EHLO hostname
            >
            > Session aborted, reason: lost connection
            >
            >
            > Right now it is just filling my logs, but the amount is 2-3 times larger
            > than normal volume of spam probes.
            >
            > Is anybody else getting this?

            Not the volume you describe, but we do get that occasionally. We turn
            away (refuse subnets) 3-400 bots a day. We analyzed the OSes on the
            machines connecting to port 25 on our MTA using p0f and they are around
            95% Windows XP/2000. I read the transactions regularly and it's obvious
            that there are a number of different spammer software versions knocking
            around - which do different things.

            > Is this some new spam/malware going around and probing mail servers or
            > can this be some mis-configuration or performance problem?

            Looks like broken bot software to me. Spammer grandi rent out subnets of
            bots and mugs install their own spammer software on them - that could be
            subnets and bots anywhere in the world. rima-tde.net is one of the ISPs
            we block completely.

            --Tonni

            --
            Tony Earnshaw
            Email: tonni at hetnet.nl
          • Michael Wang
            ... Never mind that, I was misinterpreting the docs. Peter Matulis mentioned the same problem in a thread from a few days ago titled double-bounce problem so
            Message 5 of 10 , Jan 1, 2007
            • 0 Attachment
              Roman Novak - roman.novak@... wrote:
              >>> Transcript of session follows.
              >>>
              >>> Out: 220 mercury.mydomain.net ESMTP something
              >>> In: EHLO
              >>> Out: 501 Syntax: EHLO hostname
              >>>
              >>> Session aborted, reason: lost connection
              >>
              >> Do you have reject_invalid_helo_hostname or reject_invalid_hostname
              >> somewhere in your main.cf file?
              >
              > No, i don't have these parameters in main.cf

              Never mind that, I was misinterpreting the docs.

              Peter Matulis mentioned the same problem in a thread from a few days ago
              titled "double-bounce problem" so like Tony said (and Peter said in the
              earlier thread) it's probably a broken spambot.


              --
              Michael Wang
            • Len Conrad
              ... lost connection after is perfectly normal for us. eg, for Sunday: mx1# zegrep : lost connection after /var/log/maillog.[0].gz | awk {print $9} |
              Message 6 of 10 , Jan 1, 2007
              • 0 Attachment
                >In last 2 weeks i am noticing enormous amounts of strange
                >connections to mail server from all over the world. An example from logs:

                "lost connection after" is perfectly normal for us. eg, for Sunday:

                mx1# zegrep ": lost connection after " /var/log/maillog.[0].gz | awk
                '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
                394391 RCPT
                129629 EHLO
                68807 CONNECT
                2599 HELO
                1820 DATA
                1687 MAIL
                519 RSET
                102 NOOP
                24 UNKNOWN
                1 VRFY
                1 QUIT

                and for a weekday last week:

                mx1# zegrep ": lost connection after " /var/log/maillog.[5].gz | awk
                '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
                818589 RCPT
                114880 CONNECT
                100362 EHLO
                2783 DATA
                2195 HELO
                2182 MAIL
                522 RSET
                159 NOOP
                23 UNKNOWN
                2 VRFY
                1 QUIT

                and for the 5.gz day:

                mx1# zegrep -ic ": connect from" /var/log/maillog.[5].gz
                2906441

                mx1# zegrep -ic ": disconnect from" /var/log/maillog.[5].gz
                2899136

                Len
              • Tony Earnshaw
                ... In fact, OP s transaction specifically showed the MTA objecting to the client issuing a HELO without data, after which OP s server (quite rightly) gave a
                Message 7 of 10 , Jan 1, 2007
                • 0 Attachment
                  Len Conrad wrote:

                  >> In last 2 weeks i am noticing enormous amounts of strange connections
                  >> to mail server from all over the world. An example from logs:
                  >
                  > "lost connection after" is perfectly normal for us. eg, for Sunday:
                  >
                  > mx1# zegrep ": lost connection after " /var/log/maillog.[0].gz | awk
                  > '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
                  > 394391 RCPT
                  > 129629 EHLO
                  > 68807 CONNECT
                  > 2599 HELO
                  > 1820 DATA
                  > 1687 MAIL
                  > 519 RSET
                  > 102 NOOP
                  > 24 UNKNOWN
                  > 1 VRFY
                  > 1 QUIT
                  >
                  > and for a weekday last week:
                  >
                  > mx1# zegrep ": lost connection after " /var/log/maillog.[5].gz | awk
                  > '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
                  > 818589 RCPT
                  > 114880 CONNECT
                  > 100362 EHLO
                  > 2783 DATA
                  > 2195 HELO
                  > 2182 MAIL
                  > 522 RSET
                  > 159 NOOP
                  > 23 UNKNOWN
                  > 2 VRFY
                  > 1 QUIT
                  >
                  > and for the 5.gz day:
                  >
                  > mx1# zegrep -ic ": connect from" /var/log/maillog.[5].gz
                  > 2906441
                  >
                  > mx1# zegrep -ic ": disconnect from" /var/log/maillog.[5].gz
                  > 2899136

                  In fact, OP's transaction specifically showed the MTA objecting to the
                  client issuing a HELO without data, after which OP's server (quite
                  rightly) gave a syntax error after the client went on to give a MAIL FROM:

                  The bot software was left in confusion and borked.

                  It isn't so much a "lost connection" problem as a specific b0rked bot
                  HELO problem.

                  --Tonni

                  --
                  Tony Earnshaw
                  Email: tonni at hetnet.nl
                • Peter Matulis
                  ... [...] ... Remove protocol from the above setting. From the docs: protocol Send the postmaster a transcript of the SMTP session in case of client or
                  Message 8 of 10 , Jan 1, 2007
                  • 0 Attachment
                    --- "Roman Novak - roman.novak@..."
                    <roman.novak@...> wrote:

                    >
                    > Michael Wang wrote:
                    > > Roman Novak - roman.novak@... wrote:
                    > >> Michael Wang wrote:
                    > >>> Roman Novak wrote:
                    > >>>> Transcript of session follows.
                    > >>>>
                    > >>>> Out: 220 mercury.mydomain.net ESMTP something
                    > >>>> In: EHLO
                    > >>>> Out: 501 Syntax: EHLO hostname
                    > >>>>
                    > >>>> Session aborted, reason: lost connection
                    > >>>
                    > >>> Do you have reject_invalid_helo_hostname or
                    > reject_invalid_hostname
                    > >>> somewhere in your main.cf file?
                    > >>
                    > >> No, i don't have these parameters in main.cf
                    > >
                    > > Show us your postconf -n output.
                    > >
                    >
                    > [root@mercury ~]# postconf -n

                    [...]

                    > notify_classes = delay, protocol, resource, software


                    Remove 'protocol' from the above setting.

                    From the docs:

                    protocol
                    Send the postmaster a transcript of the SMTP session in case of client
                    or server protocol errors.

                    The bot is committing a protocol error.

                    Peter

                    __________________________________________________
                    Do You Yahoo!?
                    Tired of spam? Yahoo! Mail has the best spam protection around
                    http://mail.yahoo.com
                  Your message has been successfully submitted and would be delivered to recipients shortly.