On 3/30/2010 2:46 PM, Terry Barnum wrote:
I moved our company over to postfix (v2.6.2) last Friday and have been
mesmerized by the log. One thing I'm seeing is a lot of 'lost connections from
unknown[ IP ]'. I'm hoping that these are due to either poorly written spambots
bailing early or smtpd_recipient_restrictions rejecting the connection.
google finds discussions about it but I couldn't find anything really recent.
From the following can you determine if this is something I should be worried
about? I'd be happy to provide more or different log data if required.
$ grep 'lost connection' /var/log/mail.log
<snip>
Mar 30 05:07:14 mail postfix/smtpd[45236]: lost connection after DATA from
unknown[123.28.125.3]
Mar 30 05:07:17 mail postfix/smtpd[45244]: lost connection after DATA from
unknown[62.32.223.28]
Mar 30 05:07:18 mail postfix/smtpd[45240]: lost connection after RCPT from
public16037.xdsl.centertel.pl[79.163.62.165]
Mar 30 05:07:18 mail postfix/smtpd[45159]: lost connection after RCPT from
unknown[218.157.167.131]
Mar 30 05:07:20 mail postfix/smtpd[45188]: lost connection after CONNECT from
unknown[212.63.221.10]
Mar 30 05:07:23 mail postfix/smtpd[45230]: lost connection after RCPT from
mproxy01.jheel.bdcom.com[210.4.76.3]
Mar 30 05:07:25 mail postfix/smtpd[45229]: lost connection after DATA from
unknown[119.15.93.218]
Mar 30 05:07:27 mail postfix/smtpd[45237]: lost connection after RCPT from
unknown[213.198.111.207]
I believe these are all known spam sources. As a general rule
you can ignore errors from clients you don't care to receive
mail from.
I see you have zen.spamhaus.org in your config, is it catching
anything? Several of the above clients are currently listed
in zen and should have been rejected before DATA. Possibly
you've exceeded their query limits and need to pay for a feed.
-- Noel Jones
