On 19 Apr 2016, at 11:14, jaso...@mail-central.com wrote:
and I DO want to log the bad-actor event. At least the initiation of
it. So I chose == enforce here
With "drop" you get logging like this:
Apr 13 15:53:22 bigsky postfix/postscreen[85824]: CONNECT from
[106.184.3.122]:42740 to [192.168.254.72]:25
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: PREGREET 149 after
0.06 from [106.184.3.122]:42740: GET http://www.ipip.net/
HTTP/1.1\r\nHost: www.ipip.net\r\nAccept: */*\r\nPragma:
no-cache\r\nUser-A
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: DISCONNECT
[106.184.3.122]:42740
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: CONNECT from
[106.184.3.122]:43174 to [192.168.254.72]:25
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: PREGREET 32 after 0
from [106.184.3.122]:43174: SSH-2.0-LYGhost_1.2.7-20100630\r\n
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: DISCONNECT
[106.184.3.122]:43174
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: CONNECT from
[106.184.3.122]:43488 to [192.168.254.72]:25
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: PREGREET 156 after 0
from [106.184.3.122]:43488:
\000\234\000\001\032+<M\000\001\000\000\001\000\000\000\000\000\000\001\000\000\000\001\000\000\n(\0
Apr 13 15:53:23 bigsky postfix/postscreen[85824]: DISCONNECT
[106.184.3.122]:43488
Apr 13 15:53:24 bigsky postfix/postscreen[85824]: CONNECT from
[106.184.3.122]:44086 to [192.168.254.72]:25
Apr 13 15:53:24 bigsky postfix/postscreen[85824]: PREGREET 4 after 0
from [106.184.3.122]:44086: \005\002\000\002
Apr 13 15:53:24 bigsky postfix/postscreen[85824]: DISCONNECT
[106.184.3.122]:44086
Apr 13 15:53:24 bigsky postfix/postscreen[85824]: CONNECT from
[106.184.3.122]:44482 to [192.168.254.72]:25
Apr 13 15:53:24 bigsky postfix/postscreen[85824]: PREGREET 9 after 0
from [106.184.3.122]:44482: \004\001\037\000\000\000\000\000\000
Apr 13 15:53:24 bigsky postfix/postscreen[85824]: DISCONNECT
[106.184.3.122]:44482
So, 3 lines per connection (plus any dnsblog hits) instead of 7 for bots
of that species.
