On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
> I am wondering what is the purpose of connections like these:
>
> postfix/smtpd[5147]: connect from unknown[193.56.28.121]
> postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1
> auth=0/1 rset=1 quit=1 commands=3/4
They send EHLO, a failed AUTH attempt, then RSET and QUIT.
> I have lots of these in my logs, from different IP addresses.
>
> What is the goal of these agents?
They're testing for weak passwords, either a whitehat or blackhat
scan SASL vulnerability scan.
--
Viktor.
