Loading ...
Sorry, an error occurred while loading the content.

How to detect AUTH before STARTTLS?

Expand Messages
  • Anders Wegge Keller
    Recently, I ve noticed a lot of repeated connections, like this: Jul 29 20:26:06 rollo postfix/smtpd[21285]: connect from unknown[175.101.8.162] Jul 29
    Message 1 of 3 , Jul 29, 2014
    • 0 Attachment
      Recently, I've noticed a lot of repeated connections, like this:

      Jul 29 20:26:06 rollo postfix/smtpd[21285]: connect from
      unknown[175.101.8.162] Jul 29 20:26:09 rollo postfix/smtpd[21285]: lost
      connection after UNKNOWN from unknown[175.101.8.162] Jul 29 20:26:09 rollo
      postfix/smtpd[21285]: disconnect from unknown[175.101.8.162]

      Sometimes I manage to catch the spambot in the act, and set up tshark to
      dump the traffic:

      44.048894 5.9.72.151 -> 175.101.8.162 SMTP 102 S: 220 smtp.jernurt.dk
      ESMTP Postfix (Debian/GNU)
      44.636765 175.101.8.162 -> 5.9.72.151 SMTP 65
      C: EHLO USER
      44.636789 5.9.72.151 -> 175.101.8.162 TCP 54 smtp > 53818
      [ACK] Seq=49 Ack=12 Win=14720 Len=0
      44.636893 5.9.72.151 -> 175.101.8.162
      SMTP 192 S: 250-smtp.jernurt.dk | 250-PIPELINING | 250-SIZE 10240000 |
      250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME
      | 250 DSN
      45.293030 175.101.8.162 -> 5.9.72.151 SMTP 66 C: AUTH LOGIN
      45.293114 5.9.72.151 -> 175.101.8.162 SMTP 99 S: 503 5.5.1 Error:
      authentication not enabled
      45.906139 175.101.8.162 -> 5.9.72.151 SMTP 76
      C: YmxvZy53ZWdnZS5kaw==
      45.906224 5.9.72.151 -> 175.101.8.162 SMTP 95 S:
      502 5.5.2 Error: command not recognized
      46.535497 175.101.8.162 ->
      5.9.72.151 SMTP 68 C: c2VydmljZQ==
      46.535579 5.9.72.151 ->
      175.101.8.162 SMTP 95 S: 502 5.5.2 Error: command not recognized

      I hope this will be readable, even for people not familiar with tshark
      output.

      My analysis is that the remote system is making a dictionary attack, to try
      and see if it's possible to relay mail through my server that way.
      Unfortunately (for the spammer), postfix is configured with
      smtpd_tls_auth_only = yes, so the connection is rejected. However, mail.info
      can grow rather large, so I would like to have a sure-fire trigger in the
      log, that I can use to put an iptable block in place with fail2ban.

      So my question is: Is it possible to get a log entry for remote systems
      that tries do AUTH without having issued STARTTLS first?

      --
      //Wegge


      --
      //Wegge
    • Wietse Venema
      ... No. If a command is disabled or unknown then Postfix does not log it. That could fill the logfile quickly. In the next release. There is a design to log
      Message 2 of 3 , Jul 29, 2014
      • 0 Attachment
        Anders Wegge Keller:
        > My analysis is that the remote system is making a dictionary attack, to try
        > and see if it's possible to relay mail through my server that way.
        > Unfortunately (for the spammer), postfix is configured with
        > smtpd_tls_auth_only = yes, so the connection is rejected. However, mail.info
        > can grow rather large, so I would like to have a sure-fire trigger in the
        > log, that I can use to put an iptable block in place with fail2ban.
        >
        > So my question is: Is it possible to get a log entry for remote systems
        > that tries do AUTH without having issued STARTTLS first?

        No. If a command is disabled or unknown then Postfix does not log
        it. That could fill the logfile quickly.

        In the next release. There is a design to log the number of
        successful/total commands in an SMTP session.

        Your session would look like:

        disconnect from unknown[175.101.8.162] ehlo=1 auth=0/1 unknown=2

        Translation:

        ehlo=1 1 successful ehlo, 1 total ehlo,
        auth=0/1 0 successful auth, 1 total auth.
        unknown=2 2 unknown commands

        That would make failed AUTH commands easy to recognize, and
        in many cases help to diagnose trouble without having to
        turn on Postfix verbose logging.

        Wietse
      • wegge@...
        ... Yes, I can see that with my own logfile. ... I m looking forward to that change. Thanks for the answer! -- //Wegge
        Message 3 of 3 , Jul 29, 2014
        • 0 Attachment
          On 2014-07-29 22:17, wietse@... wrote:
          > Anders Wegge Keller:
          >> My analysis is that the remote system is making a dictionary
          >> attack, to try
          >> and see if it's possible to relay mail through my server that way.
          >> Unfortunately (for the spammer), postfix is configured with
          >> smtpd_tls_auth_only = yes, so the connection is rejected. However,
          >> mail.info
          >> can grow rather large, so I would like to have a sure-fire trigger
          >> in the
          >> log, that I can use to put an iptable block in place with fail2ban.
          >>
          >> So my question is: Is it possible to get a log entry for remote
          >> systems
          >> that tries do AUTH without having issued STARTTLS first?
          >
          > No. If a command is disabled or unknown then Postfix does not log
          > it. That could fill the logfile quickly.

          Yes, I can see that with my own logfile.

          ...

          > That would make failed AUTH commands easy to recognize, and
          > in many cases help to diagnose trouble without having to
          > turn on Postfix verbose logging.

          I'm looking forward to that change.

          Thanks for the answer!

          --
          //Wegge
        Your message has been successfully submitted and would be delivered to recipients shortly.