No wait... What?
This is no attack. Attack is when you try to break or enforce.. This is
a probe, and from the probe we can deduce from the reported disconnect
that 1. helo was tried, 2. no auth was attempted and 3, quit was used.
So a test for helo and quit? and no auth.
Someone is testing your IP and mail capibility.. perhaps>>
On 20/10/2016 22:20, Bill Cole wrote:
On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:
Its clear from the log, the attacker isn't even attemping to
authenticate (0 attempts). The attacker hasn't propably not even
realized he is connecting to a mail server.
No. There's a jumble there, but at least one is a lame "attack" of a
sort. The only *Postfix* messages were:
Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from
unknown[216.15.186.126]
Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from
unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3
*THAT* client tried to authenticate and failed. It's a CBL-listed IP
on a chronically abuse-friendly network.
The rest were all messages from Dovecot components, about failed SSL
connections from a mix of IPs. Impossible to know what the reasons for
those were without tracking down the person running the computer.
