Loading ...
Sorry, an error occurred while loading the content.
 

lost connection after STARTTLS / botnet

Expand Messages
  • Robert Schetterer
    Hi , since days i have a lot of lost connection after STARTTLS log entires, ips looks like a botnet i.e ... Dec 7 19:36:22 mail01 postfix/smtpd[32324]: lost
    Message 1 of 3 , Dec 7, 2012
      Hi , since days i have a lot of

      lost connection after STARTTLS log entires, ips looks like a botnet
      i.e

      ---snip
      Dec 7 19:36:22 mail01 postfix/smtpd[32324]: lost connection after
      STARTTLS from ip-77-221-82-102.kava.lt[77.221.82.102]
      Dec 7 19:36:32 mail01 postfix/smtpd[2243]: lost connection after
      STARTTLS from 89-73-25-87.dynamic.chello.pl[89.73.25.87]
      Dec 7 19:36:36 mail02 postfix/smtpd[10130]: lost connection after
      STARTTLS from unknown[95.76.0.194]
      Dec 7 19:37:04 mail02 postfix/smtpd[8299]: lost connection after
      STARTTLS from 89-43-126-236.static.platiniumtv.ro[89.43.126.236]
      Dec 7 19:37:19 mail01 postfix/smtpd[26783]: lost connection after
      STARTTLS from unknown[87.111.5.17]
      Dec 7 19:37:37 mail02 postfix/smtpd[9082]: lost connection after
      STARTTLS from cpe-76-181-225-255.columbus.res.rr.com[76.181.225.255]
      Dec 7 19:38:17 mail01 postfix/smtpd[31724]: lost connection after
      STARTTLS from unknown[188.241.136.47]
      Dec 7 19:38:34 mail01 postfix/smtpd[32324]: lost connection after
      STARTTLS from unknown[178.151.96.138]
      Dec 7 19:38:48 mail02 postfix/smtpd[8315]: lost connection after
      STARTTLS from unknown[89.228.126.51]
      Dec 7 19:40:03 mail01 postfix/smtpd[15171]: lost connection after
      STARTTLS from c-67-177-139-18.hsd1.mi.comcast.net[67.177.139.18]
      Dec 7 19:40:35 mail01 postfix/smtpd[15819]: lost connection after
      STARTTLS from c-67-187-73-3.hsd1.tn.comcast.net[67.187.73.3]
      Dec 7 19:40:35 mail02 postfix/smtpd[8299]: lost connection after
      STARTTLS from unknown[186.35.25.33]
      Dec 7 19:41:00 mail01 postfix/smtpd[15938]: lost connection after
      STARTTLS from unknown[95.77.128.52]
      Dec 7 19:41:34 mail02 postfix/smtpd[8315]: lost connection after
      STARTTLS from host-111-184-248-207.dynamic.kbtelecom.net[111.184.248.207]
      Dec 7 19:42:26 mail01 postfix/smtpd[15819]: lost connection after
      STARTTLS from 50-88-202-155.res.bhn.net[50.88.202.155]
      Dec 7 19:43:03 mail01 postfix/smtpd[15938]: lost connection after
      STARTTLS from unknown[24.96.7.232]
      --snipend

      anyone else with this ?
      what might best to do , configure postscreen etc ?

      Best Regards
      MfG Robert Schetterer

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • Wietse Venema
      ... [bunch of end-user IP addresses] ... If it ties up your SMTP daemons, postscreen can deal with them, but for this you need to turn on an
      Message 2 of 3 , Dec 7, 2012
        Robert Schetterer:
        > ---snip
        [bunch of end-user IP addresses]
        > Dec 7 19:41:34 mail02 postfix/smtpd[8315]: lost connection after
        > STARTTLS from host-111-184-248-207.dynamic.kbtelecom.net[111.184.248.207]
        > --snipend
        >
        > anyone else with this ?
        > what might best to do , configure postscreen etc ?

        If it ties up your SMTP daemons, postscreen can deal with them,
        but for this you need to turn on an "after-220-greeting" test, for
        example

        postscreen_pipelining_enable = yes

        And perhaps:

        postscreen_pipelining_action = ignore

        Every 30 days by default, an SMTP client will spend one SMTP session
        just to renew its whitelist status, and gets 4xx replies for attempts
        to deliver mail (see postscreen_pipelining_ttl parameter documentation).
        The next time the client connects, it will be allowed to deliver mail.

        You'd need to use memcache if you want to share the postscreen
        whitelist among multiple MTAs.

        Wietse
      • Robert Schetterer
        ... thx for info Wietse, by design reasons postscreen cant be used on all conected ips on this server cluster i will wait and see, perhaps i will setup
        Message 3 of 3 , Dec 7, 2012
          Am 07.12.2012 20:55, schrieb Wietse Venema:
          > Robert Schetterer:
          >> ---snip
          > [bunch of end-user IP addresses]
          >> Dec 7 19:41:34 mail02 postfix/smtpd[8315]: lost connection after
          >> STARTTLS from host-111-184-248-207.dynamic.kbtelecom.net[111.184.248.207]
          >> --snipend
          >>
          >> anyone else with this ?
          >> what might best to do , configure postscreen etc ?
          >
          > If it ties up your SMTP daemons, postscreen can deal with them,
          > but for this you need to turn on an "after-220-greeting" test, for
          > example
          >
          > postscreen_pipelining_enable = yes
          >
          > And perhaps:
          >
          > postscreen_pipelining_action = ignore
          >
          > Every 30 days by default, an SMTP client will spend one SMTP session
          > just to renew its whitelist status, and gets 4xx replies for attempts
          > to deliver mail (see postscreen_pipelining_ttl parameter documentation).
          > The next time the client connects, it will be allowed to deliver mail.
          >
          > You'd need to use memcache if you want to share the postscreen
          > whitelist among multiple MTAs.
          >
          > Wietse
          >

          thx for info Wietse, by design reasons
          postscreen cant be used on all conected ips on this server cluster
          i will wait and see, perhaps i will setup postscreen partly


          Best Regards
          MfG Robert Schetterer

          --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Joerg Heidrich
        Your message has been successfully submitted and would be delivered to recipients shortly.