You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Colony.three" <co...@protonmail.ch> on 2017/12/05 07:17:55 UTC
Does This Look Right?
Looks like it's doing what it's supposed to, but just checking...
Dec 5 06:58:26 quantumn postfix/smtpd[51554]: lost connection after AUTH from unknown[110.83.135.178]
Dec 5 06:58:26 quantumn postfix/smtpd[51554]: disconnect from unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
Dec 5 06:58:26 quantumn postfix/smtpd[51554]: warning: hostname 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to address 110.83.135.178: Name or service not known
Dec 5 06:58:26 quantumn postfix/smtpd[51554]: connect from unknown[110.83.135.178]
Dec 5 06:58:27 quantumn postfix/smtpd[51554]: lost connection after AUTH from unknown[110.83.135.178]
Dec 5 06:58:27 quantumn postfix/smtpd[51554]: disconnect from unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
Dec 5 06:58:27 quantumn postfix/smtpd[51554]: warning: hostname 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to address 110.83.135.178: Name or service not known
Dec 5 06:58:27 quantumn postfix/smtpd[51554]: connect from unknown[110.83.135.178]
Dec 5 06:58:28 quantumn postfix/smtpd[51554]: lost connection after AUTH from unknown[110.83.135.178]
Dec 5 06:58:28 quantumn postfix/smtpd[51554]: disconnect from unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
Dec 5 06:58:28 quantumn postfix/smtpd[51554]: warning: hostname 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to address 110.83.135.178: Name or service not known
Dec 5 06:58:28 quantumn postfix/smtpd[51554]: connect from unknown[110.83.135.178]
Dec 5 06:58:28 quantumn postfix/smtpd[51554]: lost connection after AUTH from unknown[110.83.135.178]
Re: Does This Look Right?
Posted by Gao <ga...@pztop.com>.
You can use fail2ban and enable postfix-sasl filter, then those IP will
be banned after few knocks.
Gao
On 2017-12-04 11:17 PM, Colony.three wrote:
> Looks like it's doing what it's supposed to, but just checking...
>
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: disconnect from
> unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: warning: hostname
> 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to
> address 110.83.135.178: Name or service not known
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: connect from
> unknown[110.83.135.178]
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: disconnect from
> unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: warning: hostname
> 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to
> address 110.83.135.178: Name or service not known
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: connect from
> unknown[110.83.135.178]
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: disconnect from
> unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: warning: hostname
> 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to
> address 110.83.135.178: Name or service not known
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: connect from
> unknown[110.83.135.178]
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
>
>
Re: Does This Look Right?
Posted by "Colony.three" <co...@protonmail.ch>.
Am 05.12.2017 um 19:29 schrieb Colony.three:
>> Am 05.12.2017 um 19:13 schrieb Colony.three:
>>
>>> On 12/05/2017 01:17 AM, Colony.three wrote:
>>>
>>> |Looks like it's doing what it's supposed to, but just
>>> checking... What do you think it's supposed to be happening
>>> below? Those are just normal hacking attempts from China to do
>>> SMTP authentication to try to abuse your server by sending
>>> spam through it. The warnings are normal when Postfix can't
>>> look up a matching A record from the PTR record content --
>>> FCrDNS. This will cause the "unknown" in the Received header
>>> and SA rule hit on RDNS_NONE if the connection makes it far
>>> enough. |
>>>
>>> That is what I was hoping is going on. I have never done this before,
>>> so wanted to check to make sure.
>>> In my case I don't have control over my PTR record though, as my mail
>>> servers are on a hosted OpenStack instance. I do though have DNSSEC,
>>> DKIM, and DNAE working for my mail servers. I hope those help.
>>>
>>> what are you talking about and how is that related to SPAMASSASSIN
>>>
>>> if you don't have control about your PTR you can't setup a outbound
>>> mailserver but THIS LIST IS ABOUT INBOUND SPAMFILTERING and i
>>> doubt the
>>> IP below is yours
>>
>> I see that you are in a -good- mood today, Harald....
>> ... sometimes you're not!
>>
>> you still missed to explain what this whole thread has to do with
>> SPAMASSASSIN - guess why there are different mailing lists
Oh I didn't miss to explain it. I just am not interested in a bickering contest with a fascist.
I know that there's expertise in spam here and I suspected that this is what my log entries are about. Now confirmed by a human being.
Re: Does This Look Right?
Posted by "Colony.three" <co...@protonmail.ch>.
Am 05.12.2017 um 19:13 schrieb Colony.three:
>> On 12/05/2017 01:17 AM, Colony.three wrote:
>>
>>> Looks like it's doing what it's supposed to, but just checking...
>>>
>>> What do you think it's supposed to be happening below? Those are just
>>> normal hacking attempts from China to do SMTP authentication to try to
>>> abuse your server by sending spam through it.
>>>
>>> The warnings are normal when Postfix can't look up a matching A record
>>> from the PTR record content -- FCrDNS. This will cause the
>>> "unknown" in
>>> the Received header and SA rule hit on RDNS_NONE if the connection
>>> makes
>>> it far enough.
>>
>> That is what I was hoping is going on. I have never done this before,
>> so wanted to check to make sure.
>> In my case I don't have control over my PTR record though, as my mail
>> servers are on a hosted OpenStack instance. I do though have DNSSEC,
>> DKIM, and DNAE working for my mail servers. I hope those help.
>>
>> what are you talking about and how is that related to SPAMASSASSIN
>>
>> if you don't have control about your PTR you can't setup a outbound
>> mailserver but THIS LIST IS ABOUT INBOUND SPAMFILTERING and i doubt the
>> IP below is yours
I see that you are in a -good- mood today, Harald....
... sometimes you're not!
Re: Does This Look Right?
Posted by "Colony.three" <co...@protonmail.ch>.
On 12/05/2017 01:17 AM, Colony.three wrote:
>> Looks like it's doing what it's supposed to, but just checking...
>>
>> What do you think it's supposed to be happening below? Those are just
>> normal hacking attempts from China to do SMTP authentication to try to
>> abuse your server by sending spam through it.
>>
>> The warnings are normal when Postfix can't look up a matching A record
>> from the PTR record content -- FCrDNS. This will cause the "unknown" in
>> the Received header and SA rule hit on RDNS_NONE if the connection makes
>> it far enough.
That is what I was hoping is going on. I have never done this before, so wanted to check to make sure.
In my case I don't have control over my PTR record though, as my mail servers are on a hosted OpenStack instance. I do though have DNSSEC, DKIM, and DNAE working for my mail servers. I hope those help.
Re: Does This Look Right?
Posted by David Jones <dj...@ena.com>.
On 12/05/2017 01:17 AM, Colony.three wrote:
> Looks like it's doing what it's supposed to, but just checking...
What do you think it's supposed to be happening below? Those are just
normal hacking attempts from China to do SMTP authentication to try to
abuse your server by sending spam through it.
The warnings are normal when Postfix can't look up a matching A record
from the PTR record content -- FCrDNS. This will cause the "unknown" in
the Received header and SA rule hit on RDNS_NONE if the connection makes
it far enough.
>
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: disconnect from
> unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: warning: hostname
> 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to
> address 110.83.135.178: Name or service not known
> Dec 5 06:58:26 quantumn postfix/smtpd[51554]: connect from
> unknown[110.83.135.178]
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: disconnect from
> unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: warning: hostname
> 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to
> address 110.83.135.178: Name or service not known
> Dec 5 06:58:27 quantumn postfix/smtpd[51554]: connect from
> unknown[110.83.135.178]
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: disconnect from
> unknown[110.83.135.178] ehlo=1 auth=0/1 commands=1/2
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: warning: hostname
> 178.135.83.110.broad.nd.fj.dynamic.163data.com.cn does not resolve to
> address 110.83.135.178: Name or service not known
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: connect from
> unknown[110.83.135.178]
> Dec 5 06:58:28 quantumn postfix/smtpd[51554]: lost connection after
> AUTH from unknown[110.83.135.178]
>
>
--
David Jones