Is this a spammer trying to access or just the system?

June 9, 2016 5.1k views
Email Security Logging Ubuntu
musicmouse
By:
musicmouse

When I look at my syslog file I see the following lines nearly every 5 minutes. I don't recognize the mentioned IP address. According to Whois it is something from Poland (not my country). What is happening here? And can I block it?

Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection rate 1/60s for (smtp:193.189.117.151) at Jun  8 21:06:52
Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection count 1 for (smtp:193.189.117.151) at Jun  8 21:06:52
Jun  8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max cache size 1 at Jun  8 21:06:52
Jun  8 21:11:55 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: connect from unknown[193.189.117.151]
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: warning: unknown[193.189.117.151]: SASL LOGIN authentication failed: authentication failure
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: lost connection after AUTH from unknown[193.189.117.151]
Jun  8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: disconnect from unknown[193.189.117.151]
Log In to Comment
4 Answers
jtittle1 June 9, 2016

@musicmouse

Seeing such messages is actually quite common and you should be fine as long as you're rate-limiting connections to prevent flooding. In your main.cf configuration file, you should see options such as:

smtpd_error_sleep_time
smtpd_soft_error_limit
smtpd_hard_error_limit

If we set the above to something such as:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

This would mean that Postfix will wait 1 second before each error (i.e. lack of HELO, FQDN etc). After 10 errors, that limit will increase and once the limit hits 20, it will disconnect the client.

If you're seeing a surge of such connection attempts, you can reduce the soft error limit and then reduce the gap between the soft and hard limits. You'll still see the disconnects though it will ensure that they happen faster so that repeated attempts don't tie up connections.

If you see the same IP or IP's often, block them using your firewall (or install a firewall and then block them). That'll prevent them from connecting in the first place.

Reply
gndo June 9, 2016

Yes, that address shows up on at least 5 blacklists (Spamhouse ZEN, Protected Sky, Drone BL, CBL, Blocklist.de). Because the provider is lax about the whole thing, I'd recommend just blocking out the whole network range 193.189.116.0/23 from Delorian Internet Services

Reply
gndo June 9, 2016

Yes, that address shows up on several blacklists.

Reply
Demothi June 14, 2019

Three years later, and I am going to be that guy who revives this thread :-)

I added the following entries to /etc/postfix/main.cf :: 

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
     reject_non_fqdn_hostname,
     reject_invalid_hostname,
     permit
smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Then restarted Postfix service postfix restart

Reply
Have another answer? Share your knowledge.

Related Questions