>> Oct 21 20:22:39 memoryalpha dovecot: imap-login: Aborted login (no auth >> attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, >> session=<Tvvn+TmyNq9/AAAB> > > But note also "dovecot" showing up here. It looks like the spammer is > using some feature of Dovecot to originate a connection to the Postfix > SMTP server.
Actually, it's most likely a log entry from a periodic probe of my server's functions (including its IMAP service) by Nagios. I captured another incident last night, and there was no mention of Dovecot in the log. I'm not attaching the log for this second incident right now (I had "smtpd -v" in effect and the log data is really long), but I can share it if people really want to see it. I've made another change to my Postfix configuration -- I changed the value of postscreen_blacklist_action to "drop". I'm still waiting to see if I have any more instances of open relay attempts from localhost after having made this change. If the earlier open relay attempts are in fact somehow (still unsure how?) being generated as a consequence of the blacklisted connection, then maybe having postscreen drop right away will nip the open relay attempts in the bud. Rich Wales ri...@richw.org
