Is this a spammer trying to access or just the system?

June 9, 2016 784 views
Email Security Logging Ubuntu

When I look at my syslog file I see the following lines nearly every 5 minutes. I don't recognize the mentioned IP address. According to Whois it is something from Poland (not my country). What is happening here? And can I block it?

Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection rate 1/60s for (smtp:193.189.117.151) at Jun  8 21:06:52
Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection count 1 for (smtp:193.189.117.151) at Jun  8 21:06:52
Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max cache size 1 at Jun  8 21:06:52
Jun  8 21:11:55 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: connect from unknown[193.189.117.151]
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: warning: unknown[193.189.117.151]: SASL LOGIN authentication failed: authentication failure
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: lost connection after AUTH from unknown[193.189.117.151]
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: disconnect from unknown[193.189.117.151]
3 Answers

@musicmouse

Seeing such messages is actually quite common and you should be fine as long as you're rate-limiting connections to prevent flooding. In your main.cf configuration file, you should see options such as:

smtpd_error_sleep_time
smtpd_soft_error_limit
smtpd_hard_error_limit

If we set the above to something such as:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

This would mean that Postfix will wait 1 second before each error (i.e. lack of HELO, FQDN etc). After 10 errors, that limit will increase and once the limit hits 20, it will disconnect the client.

If you're seeing a surge of such connection attempts, you can reduce the soft error limit and then reduce the gap between the soft and hard limits. You'll still see the disconnects though it will ensure that they happen faster so that repeated attempts don't tie up connections.

If you see the same IP or IP's often, block them using your firewall (or install a firewall and then block them). That'll prevent them from connecting in the first place.

Yes, that address shows up on at least 5 blacklists (Spamhouse ZEN, Protected Sky, Drone BL, CBL, Blocklist.de). Because the provider is lax about the whole thing, I'd recommend just blocking out the whole network range 193.189.116.0/23 from Delorian Internet Services

Yes, that address shows up on several blacklists.

Have another answer? Share your knowledge.