continous attempted connection/timeouts after ehlo

Fri, 24 Aug 2012 22:10:32 -0700 

just noticed I have large increase in smtp connections, looking at logs I
noticed a single ip continuous attempting connection, searching for that
IP in maillog I see like;

is this like a mail attack..?
I blocked the IP for now, how to monitor and get warned when such
incidents happen ?

grep 203.125.143.198 /var/log/maillog | wc
   8741   78745  894728


Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection rate
80/60s for (smtp:203.125.143.198) at Aug 25 14:01:42
Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection count 11
for (smtp:203.125.143.198) at Aug 25 14:01:49
Aug 25 14:12:20 postfix/smtpd[28271]: timeout after EHLO from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[28271]: disconnect from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26798]: timeout after EHLO from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26798]: disconnect from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26647]: timeout after EHLO from
mail.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26647]: disconnect from
mail.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26802]: timeout after EHLO from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[26802]: disconnect from
lshfs01.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[25430]: timeout after EHLO from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:20 postfix/smtpd[25430]: disconnect from
mailsvr.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:21 postfix/smtpd[25428]: timeout after AUTH from
mail.elp-lsh.com.sg[203.125.143.198]
Aug 25 14:12:21 postfix/smtpd[25428]: disconnect from
mail.elp-lsh.com.sg[203.125.143.198]


and

Aug 25 13:21:36 postfix/anvil[32254]: statistics: max connection rate
75/60s for (smtp:203.125.143.198) at Aug 25 13:21:35
Aug 25 13:21:36 postfix/anvil[32254]: statistics: max connection count 13
for (smtp:203.125.143.198) at Aug 25 13:21:33
Aug 25 13:31:36 postfix/anvil[32254]: statistics: max connection rate
82/60s for (smtp:203.125.143.198) at Aug 25 13:23:42
Aug 25 13:31:36 postfix/anvil[32254]: statistics: max connection count 13
for (smtp:203.125.143.198) at Aug 25 13:22:52
Aug 25 13:41:36 postfix/anvil[32254]: statistics: max connection rate
70/60s for (smtp:203.125.143.198) at Aug 25 13:31:53
Aug 25 13:41:36 postfix/anvil[32254]: statistics: max connection count 16
for (smtp:203.125.143.198) at Aug 25 13:32:21
Aug 25 13:51:36 postfix/anvil[32254]: statistics: max connection rate
74/60s for (smtp:203.125.143.198) at Aug 25 13:42:09
Aug 25 13:51:36 postfix/anvil[32254]: statistics: max connection count 12
for (smtp:203.125.143.198) at Aug 25 13:43:04
Aug 25 14:01:36 postfix/anvil[32254]: statistics: max connection rate
78/60s for (smtp:203.125.143.198) at Aug 25 13:57:35
Aug 25 14:01:36 postfix/anvil[32254]: statistics: max connection count 17
for (smtp:203.125.143.198) at Aug 25 13:58:35
Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection rate
80/60s for (smtp:203.125.143.198) at Aug 25 14:01:42
Aug 25 14:11:36 postfix/anvil[32254]: statistics: max connection count 11
for (smtp:203.125.143.198) at Aug 25 14:01:49

Reply via email to