Re: [mailop] Plain connections on SubmissionS port

Sun, 11 Aug 2024 17:16:48 -0700 

In my case the connections were hanging forever. That's why we
had to get our IDS to kill them after ~5 seconds or they would take up
a lot of connection slots.

Scott

On Sunday, 11/08/2024 at 19:46 Viktor Dukhovni via mailop wrote:



On Sun, Aug 11, 2024 at 05:25:19PM +0000, Slavko via mailop wrote:

> Dňa 11. augusta 2024 15:20:50 UTC používateľ "Scott Q. via
mailop"  napísal:
> >I've noticed this maybe 3-4 years ago. Could not tie it to any
> >legitimate customer or application.
> 
> Yes, not real users, IPs are mostly from US (hi COMCAST), but
othervise
> from ~60 countries, 219 ASNs... I am more aggressive, i block them
> initially for 30 days and only small number of them repeats.
Unfortunatelly,
> i am able to identify them only after connection close (or at least
i don't
> know how to reliably do it sooner). I will check if exim allow me to
set
> (shorter) TLS handshake timeout.

I see some similar traffic (remote disconnects after ~8-30s) on my
server:

    Aug 12 07:39:42 amnesiac postfix/smtps/smtpd[990013]: connect
from unknown[65.20.138.174]
    Aug 12 07:39:52 amnesiac postfix/smtps/smtpd[990013]: lost
connection after CONNECT from unknown[65.20.138.174]
    Aug 12 07:39:52 amnesiac postfix/smtps/smtpd[990013]:
disconnect from unknown[65.20.138.174] commands=0/0

    Aug 12 07:51:29 amnesiac postfix/smtps/smtpd[990143]: connect
from unknown[206.168.34.219]
    Aug 12 07:51:44 amnesiac postfix/smtps/smtpd[990143]: lost
connection after CONNECT from unknown[206.168.34.219]
    Aug 12 07:51:44 amnesiac postfix/smtps/smtpd[990143]:
disconnect from unknown[206.168.34.219] commands=0/0

    Aug 12 07:51:45 amnesiac postfix/smtps/smtpd[990143]: connect
from unknown[162.142.125.214]
    Aug 12 07:52:15 amnesiac postfix/smtps/smtpd[990143]: lost
connection after CONNECT from unknown[162.142.125.214]
    Aug 12 07:52:15 amnesiac postfix/smtps/smtpd[990143]:
disconnect from unknown[162.142.125.214] commands=0/0

    Aug 12 07:52:17 amnesiac postfix/smtps/smtpd[990143]: connect
from unknown[167.94.138.45]
    Aug 12 07:52:47 amnesiac postfix/smtps/smtpd[990143]: lost
connection after CONNECT from unknown[167.94.138.45]
    Aug 12 07:52:47 amnesiac postfix/smtps/smtpd[990143]:
disconnect from unknown[167.94.138.45] commands=0/0

    Aug 12 08:18:27 amnesiac postfix/smtps/smtpd[990438]: connect
from host-95-229-5-248.business.telecomitalia.it[95.229.5.248]
    Aug 12 08:18:36 amnesiac postfix/smtps/smtpd[990438]: lost
connection after CONNECT from
host-95-229-5-248.business.telecomitalia.it[95.229.5.248]
    Aug 12 08:18:36 amnesiac postfix/smtps/smtpd[990438]:
disconnect from
host-95-229-5-248.business.telecomitalia.it[95.229.5.248] commands=0/0

    Aug 12 08:18:39 amnesiac postfix/smtps/smtpd[990438]: connect
from unknown[86.104.144.93]
    Aug 12 08:18:47 amnesiac postfix/smtps/smtpd[990438]: lost
connection after CONNECT from unknown[86.104.144.93]
    Aug 12 08:18:47 amnesiac postfix/smtps/smtpd[990438]:
disconnect from unknown[86.104.144.93] commands=0/0

    Aug 12 08:35:59 amnesiac postfix/smtps/smtpd[990832]: connect
from unknown[65.20.129.67]
    Aug 12 08:36:07 amnesiac postfix/smtps/smtpd[990832]: lost
connection after CONNECT from unknown[65.20.129.67]
    Aug 12 08:36:07 amnesiac postfix/smtps/smtpd[990832]:
disconnect from unknown[65.20.129.67] commands=0/0

    Aug 12 08:36:10 amnesiac postfix/smtps/smtpd[990832]: connect
from unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]: lost
connection after CONNECT from unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]:
disconnect from unknown[141.145.207.38] commands=0/0

I don't see much need for countermeasures at present.  The IP
addresses
don't recur with much frequency.  Here's the data for the last:

    Jul 26 02:41:25 amnesiac postfix/smtps/smtpd[377877]: connect
from unknown[141.145.207.38]
    Jul 26 02:41:35 amnesiac postfix/smtps/smtpd[377877]: lost
connection after CONNECT from unknown[141.145.207.38]
    Jul 26 02:41:35 amnesiac postfix/smtps/smtpd[377877]:
disconnect from unknown[141.145.207.38] commands=0/0

    Jul 29 05:32:31 amnesiac postfix/smtps/smtpd[449376]: connect
from unknown[141.145.207.38]
    Jul 29 05:32:40 amnesiac postfix/smtps/smtpd[449376]: lost
connection after CONNECT from unknown[141.145.207.38]
    Jul 29 05:32:40 amnesiac postfix/smtps/smtpd[449376]:
disconnect from unknown[141.145.207.38] commands=0/0

    Jul 29 16:32:14 amnesiac postfix/smtps/smtpd[461877]: connect
from unknown[141.145.207.38]
    Jul 29 16:32:22 amnesiac postfix/smtps/smtpd[461877]: lost
connection after CONNECT from unknown[141.145.207.38]
    Jul 29 16:32:22 amnesiac postfix/smtps/smtpd[461877]:
disconnect from unknown[141.145.207.38] commands=0/0

    Jul 30 03:35:38 amnesiac postfix/smtps/smtpd[472742]: connect
from unknown[141.145.207.38]
    Jul 30 03:35:46 amnesiac postfix/smtps/smtpd[472742]: lost
connection after CONNECT from unknown[141.145.207.38]
    Jul 30 03:35:46 amnesiac postfix/smtps/smtpd[472742]:
disconnect from unknown[141.145.207.38] commands=0/0

    Aug 01 17:09:29 amnesiac postfix/smtps/smtpd[649929]: connect
from unknown[141.145.207.38]
    Aug 01 17:09:38 amnesiac postfix/smtps/smtpd[649929]: lost
connection after CONNECT from unknown[141.145.207.38]
    Aug 01 17:09:38 amnesiac postfix/smtps/smtpd[649929]:
disconnect from unknown[141.145.207.38] commands=0/0

    Aug 02 01:49:03 amnesiac postfix/smtps/smtpd[657815]: connect
from unknown[141.145.207.38]
    Aug 02 01:49:11 amnesiac postfix/smtps/smtpd[657815]: lost
connection after CONNECT from unknown[141.145.207.38]
    Aug 02 01:49:11 amnesiac postfix/smtps/smtpd[657815]:
disconnect from unknown[141.145.207.38] commands=0/0

    Aug 05 09:17:58 amnesiac postfix/smtps/smtpd[809888]: connect
from unknown[141.145.207.38]
    Aug 05 09:18:07 amnesiac postfix/smtps/smtpd[809888]: lost
connection after CONNECT from unknown[141.145.207.38]
    Aug 05 09:18:07 amnesiac postfix/smtps/smtpd[809888]:
disconnect from unknown[141.145.207.38] commands=0/0

    Aug 06 18:54:34 amnesiac postfix/smtps/smtpd[848666]: connect
from unknown[141.145.207.38]
    Aug 06 18:54:42 amnesiac postfix/smtps/smtpd[848666]: lost
connection after CONNECT from unknown[141.145.207.38]
    Aug 06 18:54:42 amnesiac postfix/smtps/smtpd[848666]:
disconnect from unknown[141.145.207.38] commands=0/0

    Aug 12 08:36:10 amnesiac postfix/smtps/smtpd[990832]: connect
from unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]: lost
connection after CONNECT from unknown[141.145.207.38]
    Aug 12 08:36:19 amnesiac postfix/smtps/smtpd[990832]:
disconnect from unknown[141.145.207.38] commands=0/0

-- 
    Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to