On Wed, Feb 10, 2021 at 4:21 PM Ron Garret <r...@flownet.com> wrote:
>
> Hello (not helo :-)
>
> I am working on a spam filter and so I find myself spending a lot more
> quality time with mail logs than I used to. One of the things I have noticed
> is that I will get a lot of connections that send a HELO command and then
> disconnect. Sometimes I get this repeated several times a minute from the
> same IP for hours on end. What is going on here? Should I block these IPs?
> Am I being scanned? By what? To what end?
>
That reminds me of the incomplete TCP handshake scan. You may
want to run something like fail2ban and block that.
> Thanks,
> rg
>
