On 15/11/2019 16:15, @lbutlr wrote:
> On 15 Nov 2019, at 03:21, Allen Coates wrote:
>> Disabling auth does not stop them from trying; I scan my logs for the string
>> "auth=0/1", and add the offending IP address to a blacklist - a
>> do-it-yourself
>> fail2ban.
>
> Seems like a good idea.
>
On 15 Nov 2019, at 11:16, Jeffrey 'jf' Lim wrote:
On Fri, 15 Nov 2019, 22:26 Bill Cole, <
postfixlists-070...@billmail.scconsult.com> wrote:
[...]
It is also worth noting that at least one MTA has made the same
assumption about appropriate client behavior, offering a switch to
turn
AUTH adver
On Fri, 15 Nov 2019, 22:26 Bill Cole, <
postfixlists-070...@billmail.scconsult.com> wrote:
> On 15 Nov 2019, at 5:28, Jeffrey 'jf' Lim wrote:
>
> > On Fri, Nov 15, 2019 at 6:23 PM Allen Coates
> > wrote:
> [...]
> >> Disabling auth does not stop them from trying; I scan my logs for
> >> the stri
On 15 Nov 2019, at 03:21, Allen Coates wrote:
> Disabling auth does not stop them from trying; I scan my logs for the string
> "auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
> fail2ban.
Seems like a good idea.
Something like this?
pfctl -t badguys -T add $(grep
Dnia 15.11.2019 o godz. 10:04:42 Bill Cole pisze:
>
> When you see "SASL LOGIN authentication failed: UGFzc3dvcmQ6" logged
> by Postfix, it indicates that an incorrect password was provided, in
> the second step of the LOGIN mechanism, in response to the prompt
> "334 UGFzc3dvcmQ6" which is sent b
On 15 Nov 2019, at 3:36, Jaroslaw Rafa wrote:
By the way: I'm just curious, what does the string "UGFzc3dvcmQ6" in
the
failed authentication message mean? I get it with every such attempt.
$ echo "UGFzc3dvcmQ6" |base64 -D
Password:
When you see "SASL LOGIN authentication failed: UGFzc3dvcmQ6
On 15 Nov 2019, at 5:28, Jeffrey 'jf' Lim wrote:
On Fri, Nov 15, 2019 at 6:23 PM Allen Coates
wrote:
[...]
Disabling auth does not stop them from trying; I scan my logs for
the string
"auth=0/1", and add the offending IP address to a blacklist - a
do-it-yourself
fail2ban.
It should.
W
On 15/11/2019 12:33, Wietse Venema wrote:
> Jeffrey 'jf' Lim:
>>> Disabling auth does not stop them from trying; I scan my logs for the
>>> string
>>> "auth=0/1", and add the offending IP address to a blacklist - a
>>> do-it-yourself
>>> fail2ban.
>>>
>>
>> It should. Unless they're the dumbe
Jeffrey 'jf' Lim:
> > Disabling auth does not stop them from trying; I scan my logs for the
> > string
> > "auth=0/1", and add the offending IP address to a blacklist - a
> > do-it-yourself
> > fail2ban.
> >
>
> It should. Unless they're the dumbest bots of all time, because you
> should have s
On Fri, 15 Nov 2019 at 10:23, Allen Coates
wrote:
>
>
> On 15/11/2019 05:10, Fourhundred Thecat wrote:
> > On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
> >>
> >> ok then this makes sense. I've seen bots retry multiple passwords at
> >> one go in the past; Fourhundred are all of these "auth=0/1"?
On Fri, Nov 15, 2019 at 6:23 PM Allen Coates wrote:
>
>
>
> On 15/11/2019 05:10, Fourhundred Thecat wrote:
> > On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
> >>
> >> ok then this makes sense. I've seen bots retry multiple passwords at
> >> one go in the past; Fourhundred are all of these "auth=0/1
On 15/11/2019 05:10, Fourhundred Thecat wrote:
> On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
>>
>> ok then this makes sense. I've seen bots retry multiple passwords at
>> one go in the past; Fourhundred are all of these "auth=0/1"?
>
> yes, all are "auth=0/1".
>
> I have disabled auth on port
Dnia 14.11.2019 o godz. 23:51:05 Viktor Dukhovni pisze:
> > I am wondering what is the purpose of connections like these:
> >
> > postfix/smtpd[5147]: connect from unknown[193.56.28.121]
> > postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1
> > auth=0/1 rset=1 quit=1 comman
On Fri, 15 Nov 2019 at 05:26, Fourhundred Thecat <400the...@gmx.ch> wrote:
> On 15/11/2019 05.51, Viktor Dukhovni wrote:
> > On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
> >
> >> I am wondering what is the purpose of connections like these:
> >>
> >> postfix/smtpd[5147]:
On 15/11/2019 05.51, Viktor Dukhovni wrote:
> On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
>
>> I am wondering what is the purpose of connections like these:
>>
>> postfix/smtpd[5147]: connect from unknown[193.56.28.121]
>> postfix/smtpd[5147]: disconnect from unknown[1
On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
>
> ok then this makes sense. I've seen bots retry multiple passwords at
> one go in the past; Fourhundred are all of these "auth=0/1"?
yes, all are "auth=0/1".
I have disabled auth on port 25, and I am using non-standard port for
client authentication
On Fri, Nov 15, 2019 at 12:52 PM Viktor Dukhovni
wrote:
>
> On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
>
> > I am wondering what is the purpose of connections like these:
> >
> > postfix/smtpd[5147]: connect from unknown[193.56.28.121]
> > postfix/smtpd[5147]: discon
On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
> I am wondering what is the purpose of connections like these:
>
> postfix/smtpd[5147]: connect from unknown[193.56.28.121]
> postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1
> auth=0/1 rset=1 quit=1 com
On 15/11/2019 05.06, Jeffrey 'jf' Lim wrote:
> On Fri, Nov 15, 2019 at 11:49 AM Fourhundred Thecat <400the...@gmx.ch> wrote:
>>
>> Also, judging by the fact that IP does not resolve to hostname, I assume
>> these are not mail servers. Are these just some bots that are scanning
>> the Internet for m
Hello,
I am wondering what is the purpose of connections like these:
postfix/smtpd[5147]: connect from unknown[193.56.28.121]
postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1
auth=0/1 rset=1 quit=1 commands=3/4
I have lots of these in my logs, from different IP addresses.
20 matches
Mail list logo
