Hello, I routinely see 'pulses' of the following traffic, from myriad IPs around the planet, hitting my mailservers' postfix front-ends:
... May 15 09:02:12 mx postfix/smtpd[26321]: connect from unknown[69.198.138.134] May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 Service unavailable; Client host [69.198.138.134] blocked using b.barracudacentral.org; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 <badma...@mydomain.com>: Recipient address rejected: 554 5.7.1 Service unavailable; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 <badma...@mydomain.com>: Recipient address rejected: 554 5.7.1 Service unavailable; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 <badma...@mydomain.com>: Recipient address rejected: 554 5.7.1 Service unavailable; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 <badma...@mydomain.com>: Recipient address rejected: 554 5.7.1 Service unavailable; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 <badma...@mydomain.com>: Recipient address rejected: 554 5.7.1 Service unavailable; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 Service unavailable; Client host [69.198.138.134] blocked using b.barracudacentral.org; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 <badma...@mydomain.com>: Recipient address rejected: 554 5.7.1 Service unavailable; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: NOQUEUE: reject: RCPT from unknown[69.198.138.134]: 554 5.7.1 <badma...@mydomain.com>: Recipient address rejected: 554 5.7.1 Service unavailable; from=<quarriesyp...@ritcey.com> to=<badma...@mydomain.com> proto=ESMTP helo=<iGateway> May 15 09:02:12 mx postfix/smtpd[26321]: lost connection after DATA from unknown[69.198.138.134] May 15 09:02:12 mx postfix/smtpd[26321]: disconnect from unknown[69.198.138.134] ... I understand this is likely botnet-generated traffic. They occur all day long, typically ~1-10 times/minute. I understand that postfix is doing the job I intend in rejecting this traffic. Iiuc, postfix caches some IP, DNS, etc data to keep performance efficient in such cases, but I do NOT understand enough about it to know if these 'pulses' of ~10 connections per 1-2 seconds represent a load on the system that's unreasonable, and should be further limited. I'd appreciate some additional insight as to whether this ^^^ is considered normal/typical load, and if not, any recommendation as to what additional protection methods to read about & employ. Thanks, Grant
