Loading ...
Sorry, an error occurred while loading the content.

Re: large amounts of disconnects

Expand Messages
  • Tony Earnshaw
    ... In fact, OP s transaction specifically showed the MTA objecting to the client issuing a HELO without data, after which OP s server (quite rightly) gave a
    Message 1 of 10 , Jan 1, 2007
    • 0 Attachment
      Len Conrad wrote:

      >> In last 2 weeks i am noticing enormous amounts of strange connections
      >> to mail server from all over the world. An example from logs:
      >
      > "lost connection after" is perfectly normal for us. eg, for Sunday:
      >
      > mx1# zegrep ": lost connection after " /var/log/maillog.[0].gz | awk
      > '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
      > 394391 RCPT
      > 129629 EHLO
      > 68807 CONNECT
      > 2599 HELO
      > 1820 DATA
      > 1687 MAIL
      > 519 RSET
      > 102 NOOP
      > 24 UNKNOWN
      > 1 VRFY
      > 1 QUIT
      >
      > and for a weekday last week:
      >
      > mx1# zegrep ": lost connection after " /var/log/maillog.[5].gz | awk
      > '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
      > 818589 RCPT
      > 114880 CONNECT
      > 100362 EHLO
      > 2783 DATA
      > 2195 HELO
      > 2182 MAIL
      > 522 RSET
      > 159 NOOP
      > 23 UNKNOWN
      > 2 VRFY
      > 1 QUIT
      >
      > and for the 5.gz day:
      >
      > mx1# zegrep -ic ": connect from" /var/log/maillog.[5].gz
      > 2906441
      >
      > mx1# zegrep -ic ": disconnect from" /var/log/maillog.[5].gz
      > 2899136

      In fact, OP's transaction specifically showed the MTA objecting to the
      client issuing a HELO without data, after which OP's server (quite
      rightly) gave a syntax error after the client went on to give a MAIL FROM:

      The bot software was left in confusion and borked.

      It isn't so much a "lost connection" problem as a specific b0rked bot
      HELO problem.

      --Tonni

      --
      Tony Earnshaw
      Email: tonni at hetnet.nl
    • Peter Matulis
      ... [...] ... Remove protocol from the above setting. From the docs: protocol Send the postmaster a transcript of the SMTP session in case of client or
      Message 2 of 10 , Jan 1, 2007
      • 0 Attachment
        --- "Roman Novak - roman.novak@..."
        <roman.novak@...> wrote:

        >
        > Michael Wang wrote:
        > > Roman Novak - roman.novak@... wrote:
        > >> Michael Wang wrote:
        > >>> Roman Novak wrote:
        > >>>> Transcript of session follows.
        > >>>>
        > >>>> Out: 220 mercury.mydomain.net ESMTP something
        > >>>> In: EHLO
        > >>>> Out: 501 Syntax: EHLO hostname
        > >>>>
        > >>>> Session aborted, reason: lost connection
        > >>>
        > >>> Do you have reject_invalid_helo_hostname or
        > reject_invalid_hostname
        > >>> somewhere in your main.cf file?
        > >>
        > >> No, i don't have these parameters in main.cf
        > >
        > > Show us your postconf -n output.
        > >
        >
        > [root@mercury ~]# postconf -n

        [...]

        > notify_classes = delay, protocol, resource, software


        Remove 'protocol' from the above setting.

        From the docs:

        protocol
        Send the postmaster a transcript of the SMTP session in case of client
        or server protocol errors.

        The bot is committing a protocol error.

        Peter

        __________________________________________________
        Do You Yahoo!?
        Tired of spam? Yahoo! Mail has the best spam protection around
        http://mail.yahoo.com
      Your message has been successfully submitted and would be delivered to recipients shortly.