Re: [mailop] Plain connections on SubmissionS port

Viktor Dukhovni via mailop Sun, 11 Aug 2024 17:00:33 -0700

On Sun, Aug 11, 2024 at 05:25:19PM +0000, Slavko via mailop wrote:

> Dňa 11. augusta 2024 15:20:50 UTC používateľ "Scott Q. via mailop" 
> <mailop@mailop.org> napísal:
> >I've noticed this maybe 3-4 years ago. Could not tie it to any
> >legitimate customer or application.
> 
> Yes, not real users, IPs are mostly from US (hi COMCAST), but othervise
> from ~60 countries, 219 ASNs... I am more aggressive, i block them
> initially for 30 days and only small number of them repeats. Unfortunatelly,
> i am able to identify them only after connection close (or at least i don't
> know how to reliably do it sooner). I will check if exim allow me to set
> (shorter) TLS handshake timeout.


I see some similar traffic (remote disconnects after ~8-30s) on my server:

    Aug 12 07:39:42 amnesiac postfix/smtps/smtpd[990013]: connect from 
unknown[65.20.138.174]
    Aug 12 07:39:52 amnesiac postfix/smtps/smtpd[990013]: lost connection after 
CONNECT from unknown[65.20.138.174]
    Aug 12 07:39:52 amnesiac postfix/smtps/smtpd[990013]: disconnect from 
unknown[65.20.138.174] commands=0/0

    Aug 12 07:51:29 amnesiac postfix/smtps/smtpd[990143]: connect from 
unknown[206.168.34.219]
    Aug 12 07:51:44 amnesiac postfix/smtps/smtpd[990143]: lost connection after 
CONNECT from unknown[206.168.34.219]
    Aug 12 07:51:44 amnesiac postfix/smtps/smtpd[990143]: disconnect from 
unknown[206.168.34.219] commands=0/0

    Aug 12 07:51:45 amnesiac postfix/smtps/smtpd[990143]: connect from 
unknown[162.142.125.214]
    Aug 12 07:52:15 amnesiac postfix/smtps/smtpd[990143]: lost connection after 
CONNECT from unknown[162.142.125.214]
    Aug 12 07:52:15 amnesiac postfix/smtps/smtpd[990143]: disconnect from 
unknown[162.142.125.214] commands=0/0

    Aug 12 07:52:17 amnesiac postfix/smtps/smtpd[990143]: connect from 
unknown[167.94.138.45]
    Aug 12 07:52:47 amnesiac postfix/smtps/smtpd[990143]: lost connection after 
CONNECT from unknown[167.94.138.45]
    Aug 12 07:52:47 amnesiac postfix/smtps/smtpd[990143]: disconnect from 
unknown[167.94.138.45] commands=0/0

    Aug 12 08:18:27 amnesiac postfix/smtps/smtpd[990438]: connect from 
host-95-229-5-248.business.telecomitalia.it[95.229.5.248]
    Aug 12 08:18:36 amnesiac postfix/smtps/smtpd[990438]: lost connection after 
CONNECT from host-95-229-5-248.business.telecomitalia.it[95.229.5.248]
    Aug 12 08:18:36 amnesiac postfix/smtps/smtpd[990438]: disconnect from 
host-95-229-5-248.business.telecomitalia.it[95.229.5.248] commands=0/0

    Aug 12 08:18:39 amnesiac postfix/smtps/smtpd[990438]: connect from 
unknown[86.104.144.93]
    Aug 12 08:18:47 amnesiac postfix/smtps/smtpd[990438]: lost connection after 
CONNECT from unknown[86.104.144.93]
    Aug 12 08:18:47 amnesiac postfix/smtps/smtpd[990438]: disconnect from 
unknown[86.104.144.93] commands=0/0

    Aug 12 08:35:59 amnesiac postfix/smtps/smtpd[990832]: connect from 
unknown[65.20.129.67]
    Aug 12 08:36:07 amnesiac postfix/smtps/smtpd[990832]: lost connection after 
CONNECT from unknown[65.20.129.67]
    Aug 12 08:36:07 amnesiac postfix/smtps/smtpd[990832]: disconnect from 
unknown[65.20.129.67] commands=0/0

    Aug 12 08:36:10 amnesiac postfix/smtps/smtpd[990832]: connect from 
unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]: disconnect from 
unknown[141.145.207.38] commands=0/0

I don't see much need for countermeasures at present.  The IP addresses
don't recur with much frequency.  Here's the data for the last:

    Jul 26 02:41:25 amnesiac postfix/smtps/smtpd[377877]: connect from 
unknown[141.145.207.38]
    Jul 26 02:41:35 amnesiac postfix/smtps/smtpd[377877]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Jul 26 02:41:35 amnesiac postfix/smtps/smtpd[377877]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Jul 29 05:32:31 amnesiac postfix/smtps/smtpd[449376]: connect from 
unknown[141.145.207.38]
    Jul 29 05:32:40 amnesiac postfix/smtps/smtpd[449376]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Jul 29 05:32:40 amnesiac postfix/smtps/smtpd[449376]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Jul 29 16:32:14 amnesiac postfix/smtps/smtpd[461877]: connect from 
unknown[141.145.207.38]
    Jul 29 16:32:22 amnesiac postfix/smtps/smtpd[461877]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Jul 29 16:32:22 amnesiac postfix/smtps/smtpd[461877]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Jul 30 03:35:38 amnesiac postfix/smtps/smtpd[472742]: connect from 
unknown[141.145.207.38]
    Jul 30 03:35:46 amnesiac postfix/smtps/smtpd[472742]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Jul 30 03:35:46 amnesiac postfix/smtps/smtpd[472742]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Aug 01 17:09:29 amnesiac postfix/smtps/smtpd[649929]: connect from 
unknown[141.145.207.38]
    Aug 01 17:09:38 amnesiac postfix/smtps/smtpd[649929]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Aug 01 17:09:38 amnesiac postfix/smtps/smtpd[649929]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Aug 02 01:49:03 amnesiac postfix/smtps/smtpd[657815]: connect from 
unknown[141.145.207.38]
    Aug 02 01:49:11 amnesiac postfix/smtps/smtpd[657815]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Aug 02 01:49:11 amnesiac postfix/smtps/smtpd[657815]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Aug 05 09:17:58 amnesiac postfix/smtps/smtpd[809888]: connect from 
unknown[141.145.207.38]
    Aug 05 09:18:07 amnesiac postfix/smtps/smtpd[809888]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Aug 05 09:18:07 amnesiac postfix/smtps/smtpd[809888]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Aug 06 18:54:34 amnesiac postfix/smtps/smtpd[848666]: connect from 
unknown[141.145.207.38]
    Aug 06 18:54:42 amnesiac postfix/smtps/smtpd[848666]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Aug 06 18:54:42 amnesiac postfix/smtps/smtpd[848666]: disconnect from 
unknown[141.145.207.38] commands=0/0

    Aug 12 08:36:10 amnesiac postfix/smtps/smtpd[990832]: connect from 
unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]: lost connection after 
CONNECT from unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]: disconnect from 
unknown[141.145.207.38] commands=0/0

-- 
    Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Plain connections on SubmissionS port

Reply via email to