On Wed, Feb 10, 2021 at 01:20:30PM -0800, Ron Garret wrote:
> I am working on a spam filter and so I find myself spending a lot more
> quality time with mail logs than I used to. One of the things I have
> noticed is that I will get a lot of connections that send a HELO
> command and then disconnect. Sometimes I get this repeated several
> times a minute from the same IP for hours on end. What is going on
> here? Should I block these IPs? Am I being scanned? By what? To
> what end?
Generally, just ignore these. Focus instead on the systems that attempt
to send junk mail. Some of the EHLO mail systems are various systems
doing legitimate Internet surveys.
My DANE survey bot (dnssec-stats.ant.isi.edu) is generously hosted by
isi.edu (with thanks to Wes Hardaker for making that possible), and will
typically connect to an MX host of a DNSSEC-signed domain once or twice
per IP address (listed in DNS for its hostname) per day, provided the
MX host is also in a DNSSEC-signed zone and has DANE TLSA records.
Other surveys focus on other features and have a different connection
pattern.
Once a minute for several hours on end does seem rather more frequent
than I would expect of a legitimate survey, if you're sufficiently
curious, you could check to see whether there is an associated website
that documents the activity, and/or any relevant TXT (or RP) DNS
records.
For example:
dnssec-stats.ant.isi.edu. IN TXT "v=spf1 ip4:128.9.29.254
ip6:2001:1878:401::8009:1dfe ~all"
dnssec-stats.ant.isi.edu. IN TXT "DNSSEC/DANE deployment survey. See
https://stats.dnssec-tools.org/ for details."
I should probably also add an "RP" record, though few publish or know
about these: https://tools.ietf.org/html/rfc1183#section-2
--
Viktor.
