[BlueOnyx:25165] Re: stalling SMTP
Michael Stauber
mstauber at blueonyx.it
Thu Oct 14 11:40:37 -05 2021
Hi Meaulnes,
> But I still wonder what's the cause of this... I browsed through the log
> files /var/log/maillog /var/log/messages /var/log/secure with no clues
> to anything suspicious (or I didn't know what to look for).
Yeah, we're seeing that stuff as well and these kind of SMTP-probes are
really getting very aggressive these days. The worst offender I've
recently seen were from Iran and the Netherlands, but it's a general
problem not just limited to region or country of origin.
In /var/log/maillog they usually show up like this:
Oct 13 20:02:38 sol sendmail[18277]: 19E12cNr018277: [104.200.146.41]
did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Oct 14 10:53:46 sol sendmail[22421]: 19EFrLbF022421: [43.133.58.8] did
not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
So a cue-word to look for is "did not issue MAIL/EXPN/VRFY/ETRN" or I
simply look for "ETRN". That's when a client contacted the MTA and
didn't really do things the MTA was expecting. Like initiating an email
sending procedure. Sometimes this is legitimately done to check if an
MTA is up and responding, but abusers usually use this for email address
verification to see if a recipient email address is valid. They then
quickly run a dictionary attack against the MTA to gather a list of
working email addresses and eventually these get targeted for SPAM.
The command below produces a sorted list of all IPs that probed your MTA
this way:
cat /var/log/maillog|grep ETRN|cut -d [ -f3| cut -d ] -f1|grep
^[0-9]|sort -un
If I see repeat offenders *really* sticking their nose out, then I
usually do a WHOIS on the offending IP and block their whole network
address range in APF, Firewalld and/or Milter-GeoIP.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list