DigitalOcean

Report this

What is the reason for this report?
Question

Is this a spammer trying to access or just the system?

Posted on June 9, 2016
Security
Email
Logging
Ubuntu
musicmouse

By musicmouse

When I look at my syslog file I see the following lines nearly every 5 minutes. I don’t recognize the mentioned IP address. According to Whois it is something from Poland (not my country). What is happening here? And can I block it?

Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection rate 1/60s for (smtp:193.189.117.151) at Jun  8 21:06:52
Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection count 1 for (smtp:193.189.117.151) at Jun  8 21:06:52
Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max cache size 1 at Jun  8 21:06:52
Jun  8 21:11:55 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: connect from unknown[193.189.117.151]
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: warning: unknown[193.189.117.151]: SASL LOGIN authentication failed: authentication failure
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: lost connection after AUTH from unknown[193.189.117.151]
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: disconnect from unknown[193.189.117.151]


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
gndo
gndo
June 9, 2016

Yes, that address shows up on several blacklists.

0
Feriman
Feriman
June 16, 2020

I solved this issue by adding this below line:

smtpd_tls_auth_only = yes

in

/etc/postfix/main.cf

file. Then restart postfix:

service postfix restart
0
Jonathan Tittle
Jonathan Tittle
June 9, 2016

@musicmouse

Seeing such messages is actually quite common and you should be fine as long as you’re rate-limiting connections to prevent flooding. In your main.cf configuration file, you should see options such as:

smtpd_error_sleep_time
smtpd_soft_error_limit
smtpd_hard_error_limit

If we set the above to something such as:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

This would mean that Postfix will wait 1 second before each error (i.e. lack of HELO, FQDN etc). After 10 errors, that limit will increase and once the limit hits 20, it will disconnect the client.

If you’re seeing a surge of such connection attempts, you can reduce the soft error limit and then reduce the gap between the soft and hard limits. You’ll still see the disconnects though it will ensure that they happen faster so that repeated attempts don’t tie up connections.

If you see the same IP or IP’s often, block them using your firewall (or install a firewall and then block them). That’ll prevent them from connecting in the first place.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.