On 2025-01-02 at 16:47:00 UTC-0500 (Thu, 02 Jan 2025 16:47:00 -0500)
Greg Klanderman via Postfix-users <g...@klanderman.net>
is rumored to have said:
On January 2, 2025 Bill Cole via Postfix-users
<postfix-users@postfix.org> wrote:
[lots of snipping done ...]
Is there any good reason to send ehlo multiple times?
It is always correct to ehlo a second time after initiating encryption
with starttls.
Beyond that it may be perilous to interpret command
failures or non-delivering sessions as suspicious. For example, a
non-sending session that just does ehlo/starttls/ehlo/quit may only
be noticing a message size limit in the EHLO reply and giving up on
an oversize message, i.e. doing the right thing.
Right, I plan to first implement some additions to my postfix logwatch
script (already locally enhanced) to get a better handle on the
situation.
What do you think about 'unknown=0/*', is that fairly safe to target?
Yes. There's no valid reason for anything to be trying bogus commands.
How about 'commands=0/0'?
I'd be reluctant to block a SMTP client simply for dropping the
connection. Stuff happens.
A bit of hand analysis of the last month's logs seems to indicate that
~10 tld's representing questionable scanners, plus ~4 tld's which are
cloud/vps/compute providers' hosts, account for effectively all errors
and non-delivering sessions. No hosts matching these patterns
actually delivered mail (whether spam or not, but I'm pretty
aggressive about spam).
That's very similar to the pattern I see. Lots of Linode, Azure, and GCP
scanners and clearly compromised machines from all around. It's usually
safe to whack those, but not so much for their neighbors if you get a
diverse range of email.
Interestingly, I seem not to have been connected to from an IPv6 host,
at least in the last month...
IPv6 for email is a heavy lift for spammers because the big receivers
are much more strict about what they accept from IPv6 senders. For a
variety of reasons it is just simpler for people with IPv4 connectivity
to prefer it for email.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
