On Tue, Dec 24, 2013 at 03:11:11PM -0500, Wietse Venema wrote:
> > Dec 24 11:33:10 mail02 postfix/smtpd[8603]: too many errors after DATA
> > from unknown[23.92.90.231]
NetRange: 23.92.90.224 - 23.92.90.239
CIDR: 23.92.90.224/28
OriginAS: AS19531
NetName: SC7276-23-92-90-224-28
NetHandle: NET-23-92-90-224-1
Parent: NET-23-92-80-0-1
NetType: Reassigned
Comment: THIS BLOCK IS NON-PORTABLE
RegDate: 2013-10-24
Updated: 2013-10-24
Ref: http://whois.arin.net/rest/net/NET-23-92-90-224-1
CustName: Private Customer
Address: Private Residence
City: BELO HORIZONTE
StateProv: INTERNATIONAL
PostalCode: 30690-510
Country: BR
RegDate: 2013-10-24
Updated: 2013-10-24
Ref: http://whois.arin.net/rest/customer/C04743203
Almost certainly a spamming machine, no PTR record. Brain-damage in
SMTP from spam-emitting machines is to be expected.
> > Dec 24 11:48:06 mail01 postfix/smtpd[14470]: too many errors after
> > RCPT from mail.virtualarmor.com[64.92.219.81]
There the error is after "RCPT TO", thus too many invalid addresses.
Either a low-quality mailing list or a dictionary attack.
> > I've researched the smtp_*_error_limit variables and people's
> > recommendations to adjust them, but I don't understand why they are
> > being generated. Could it at all be related to sqlgrey?
>
> This almost certainly means that the remote SMTP client sent
> <CR><LF>.<CR><LF> in the middle of the message content. From then
> on, the SMTP server must process every input line as an SMTP command.
> The result is that message content is processed as SMTP commands.
That applies to the spam node, but we don't care.
> There is a mail server at 64.92.219.81 that claims to be Postfix,
> but that doesn't mean that the message actually came from that
> server (64.92.219.81 could be a network address translator that is
> shared by multiple systems).
This IP address almost certainly has a real Postfix server. Perhaps
it is configured to do sender address verification, ...
--
Viktor.
