>>>>> On January 2, 2025 Bill Cole via Postfix-users >>>>> <postfix-users@postfix.org> wrote:
> On 2025-01-02 at 16:47:00 UTC-0500 (Thu, 02 Jan 2025 16:47:00 -0500) > Greg Klanderman via Postfix-users <g...@klanderman.net> is rumored to > have said: >>>>>>> On January 2, 2025 Bill Cole via Postfix-users >>>>>>> <postfix-users@postfix.org> wrote: >> > [lots of snipping done ...] >> Is there any good reason to send ehlo multiple times? > It is always correct to ehlo a second time after initiating > encryption with starttls. OK thanks >>> Beyond that it may be perilous to interpret command failures or >>> non-delivering sessions as suspicious. For example, a non-sending >>> session that just does ehlo/starttls/ehlo/quit may only be >>> noticing a message size limit in the EHLO reply and giving up on >>> an oversize message, i.e. doing the right thing. >> >> Right, I plan to first implement some additions to my postfix >> logwatch script (already locally enhanced) to get a better handle >> on the situation. >> >> What do you think about 'unknown=0/*', is that fairly safe to >> target? > Yes. There's no valid reason for anything to be trying bogus > commands. SG >> How about 'commands=0/0'? > I'd be reluctant to block a SMTP client simply for dropping the > connection. Stuff happens. Occasionally sure, but I have some hosts with many dozens, and a whole legion of scan-*.shadowserver.org that have each done it once. So I'd say maybe with the right thresholds it could make sense.. >> A bit of hand analysis of the last month's logs seems to indicate >> that ~10 tld's representing questionable scanners, plus ~4 tld's >> which are cloud/vps/compute providers' hosts, account for >> effectively all errors and non-delivering sessions. No hosts >> matching these patterns actually delivered mail (whether spam or >> not, but I'm pretty aggressive about spam). > That's very similar to the pattern I see. Lots of Linode, Azure, and > GCP scanners and clearly compromised machines from all around. It's > usually safe to whack those, but not so much for their neighbors if > you get a diverse range of email. Yup, linode is especially bad. >> Interestingly, I seem not to have been connected to from an IPv6 >> host, at least in the last month... > IPv6 for email is a heavy lift for spammers because the big > receivers are much more strict about what they accept from IPv6 > senders. For a variety of reasons it is just simpler for people with > IPv4 connectivity to prefer it for email. Cool, thanks for explaining that! Greg > -- > Bill Cole b...@scconsult.com or billc...@apache.org (AKA > @grumpybozo@toad.social and many *@billmail.scconsult.com > addresses) Not Currently Available For Hire > _______________________________________________ Postfix-users > mailing list -- postfix-users@postfix.org To unsubscribe send an > email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
