On Fri, Nov 15, 2019 at 12:52 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote: > > > I am wondering what is the purpose of connections like these: > > > > postfix/smtpd[5147]: connect from unknown[193.56.28.121] > > postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1 > > auth=0/1 rset=1 quit=1 commands=3/4 > > They send EHLO, a failed AUTH attempt, then RSET and QUIT. >
good grief!! Thanks for noticing! > > I have lots of these in my logs, from different IP addresses. > > > > What is the goal of these agents? > > They're testing for weak passwords, either a whitehat or blackhat > scan SASL vulnerability scan. > ok then this makes sense. I've seen bots retry multiple passwords at one go in the past; Fourhundred are all of these "auth=0/1"? -jf
