On 2025-01-01 at 20:13:35 UTC-0500 (Wed, 01 Jan 2025 20:13:35 -0500)
Greg Klanderman via Postfix-users <g...@klanderman.net>
is rumored to have said:
I just noticed a single unknown host is connecting ~1000x per day,
with fingerprint 'ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4' so
that's my first target.
Failed auth like that is a good basis for targeting, provided you are
100% certain that it isn't a real user with a typo'd password. Beyond
that it may be perilous to interpret command failures or non-delivering
sessions as suspicious. For example, a non-sending session that just
does ehlo/starttls/ehlo/quit may only be noticing a message size limit
in the EHLO reply and giving up on an oversize message, i.e. doing the
right thing.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
