Recently, I've noticed a lot of repeated connections, like this:
Jul 29 20:26:06 rollo postfix/smtpd[21285]: connect from
unknown[175.101.8.162] Jul 29 20:26:09 rollo postfix/smtpd[21285]: lost
connection after UNKNOWN from unknown[175.101.8.162] Jul 29 20:26:09 rollo
postfix/smtpd[21285]: disconnect from unknown[175.101.8.162]
Sometimes I manage to catch the spambot in the act, and set up tshark to
dump the traffic:
44.048894 5.9.72.151 -> 175.101.8.162 SMTP 102 S: 220 smtp.jernurt.dk
ESMTP Postfix (Debian/GNU)
44.636765 175.101.8.162 -> 5.9.72.151 SMTP 65
C: EHLO USER
44.636789 5.9.72.151 -> 175.101.8.162 TCP 54 smtp > 53818
[ACK] Seq=49 Ack=12 Win=14720 Len=0
44.636893 5.9.72.151 -> 175.101.8.162
SMTP 192 S: 250-smtp.jernurt.dk | 250-PIPELINING | 250-SIZE 1024 |
250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME
| 250 DSN
45.293030 175.101.8.162 -> 5.9.72.151 SMTP 66 C: AUTH LOGIN
45.293114 5.9.72.151 -> 175.101.8.162 SMTP 99 S: 503 5.5.1 Error:
authentication not enabled
45.906139 175.101.8.162 -> 5.9.72.151 SMTP 76
C: YmxvZy53ZWdnZS5kaw==
45.906224 5.9.72.151 -> 175.101.8.162 SMTP 95 S:
502 5.5.2 Error: command not recognized
46.535497 175.101.8.162 ->
5.9.72.151 SMTP 68 C: c2VydmljZQ==
46.535579 5.9.72.151 ->
175.101.8.162 SMTP 95 S: 502 5.5.2 Error: command not recognized
I hope this will be readable, even for people not familiar with tshark
output.
My analysis is that the remote system is making a dictionary attack, to try
and see if it's possible to relay mail through my server that way.
Unfortunately (for the spammer), postfix is configured with
smtpd_tls_auth_only = yes, so the connection is rejected. However, mail.info
can grow rather large, so I would like to have a sure-fire trigger in the
log, that I can use to put an iptable block in place with fail2ban.
So my question is: Is it possible to get a log entry for remote systems
that tries do AUTH without having issued STARTTLS first?
--
//Wegge
--
//Wegge
