On 15 Nov 2019, at 5:28, Jeffrey 'jf' Lim wrote:
On Fri, Nov 15, 2019 at 6:23 PM Allen Coates
<znab...@cidercounty.org.uk> wrote:
[...]
Disabling auth does not stop them from trying; I scan my logs for
the string
"auth=0/1", and add the offending IP address to a blacklist - a
do-it-yourself
fail2ban.
It should.
Well, yes. And yet, it doesn't.
Unless they're the dumbest bots of all time, because you
should have stopped advertising auth in your EHLO response after
disabling.
I have to note that the competition for that title, because for well
over a decade the Cutwail/Pushdo bot has been making hundreds of
near-simultaneous connections to a single target, saying "EHLO ymlf-pc"
without waiting for a banner, and being rejected precisely because of
that idiosyncratic behavior by a large fraction of Sendmail, Postfix,
and CGP mail servers, as well as any others implementing greeting delays
and most using the CBL (which takes about an hour on average to notice
new members of that botnet...)
It is also worth noting that at least one MTA has made the same
assumption about appropriate client behavior, offering a switch to turn
AUTH advertisement on and off but NOT actually disabling authentication
when not advertising it.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
