HELO and nothing else

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

HELO and nothing else

Ron Garret-2
Hello (not helo :-)

I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to.  One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect.  Sometimes I get this repeated several times a minute from the same IP for hours on end.  What is going on here?  Should I block these IPs?  Am I being scanned?  By what?  To what end?

Thanks,
rg

Reply | Threaded
Open this post in threaded view
|

Re: HELO and nothing else

Noel Jones-2

On 2/10/2021 3:20 PM, Ron Garret wrote:
> Hello (not helo :-)
>
> I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to.  One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect.  Sometimes I get this repeated several times a minute from the same IP for hours on end.  What is going on here?  Should I block these IPs?  Am I being scanned?  By what?  To what end?
>
> Thanks,
> rg
>


Each connecting IP may have a different reason...

My first two thoughts are either a broken spambot, or an MTA that
doesn't like something about your server's response.

Probably not a scan or anything to be overly concerned with, unless
it looks like you might want their mail. Unless they repeat
thousands of times for hours it's not worth blocking - just ignore them.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: HELO and nothing else

Mauricio Tavares
In reply to this post by Ron Garret-2
On Wed, Feb 10, 2021 at 4:21 PM Ron Garret <[hidden email]> wrote:
>
> Hello (not helo :-)
>
> I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to.  One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect.  Sometimes I get this repeated several times a minute from the same IP for hours on end.  What is going on here?  Should I block these IPs?  Am I being scanned?  By what?  To what end?
>
      That reminds me of the incomplete TCP handshake scan. You may
want to run something like fail2ban and block that.

> Thanks,
> rg
>
Reply | Threaded
Open this post in threaded view
|

Re: HELO and nothing else

Viktor Dukhovni
In reply to this post by Ron Garret-2
On Wed, Feb 10, 2021 at 01:20:30PM -0800, Ron Garret wrote:

> I am working on a spam filter and so I find myself spending a lot more
> quality time with mail logs than I used to.  One of the things I have
> noticed is that I will get a lot of connections that send a HELO
> command and then disconnect.  Sometimes I get this repeated several
> times a minute from the same IP for hours on end.  What is going on
> here?  Should I block these IPs?  Am I being scanned?  By what?  To
> what end?

Generally, just ignore these.  Focus instead on the systems that attempt
to send junk mail.  Some of the EHLO mail systems are various systems
doing legitimate Internet surveys.

My DANE survey bot (dnssec-stats.ant.isi.edu) is generously hosted by
isi.edu (with thanks to Wes Hardaker for making that possible), and will
typically connect to an MX host of a DNSSEC-signed domain once or twice
per IP address (listed in DNS for its hostname) per day, provided the
MX host is also in a DNSSEC-signed zone and has DANE TLSA records.

Other surveys focus on other features and have a different connection
pattern.

Once a minute for several hours on end does seem rather more frequent
than I would expect of a legitimate survey, if you're sufficiently
curious, you could check to see whether there is an associated website
that documents the activity, and/or any relevant TXT (or RP) DNS
records.

For example:

    dnssec-stats.ant.isi.edu. IN TXT "v=spf1 ip4:128.9.29.254 ip6:2001:1878:401::8009:1dfe ~all"
    dnssec-stats.ant.isi.edu. IN TXT "DNSSEC/DANE deployment survey.  See https://stats.dnssec-tools.org/ for details."

I should probably also add an "RP" record, though few publish or know
about these: https://tools.ietf.org/html/rfc1183#section-2

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

RE: HELO and nothing else

Dino Edwards
In reply to this post by Ron Garret-2

> I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to.  One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect.  Sometimes I get this > repeated several times a minute from the same IP for hours on end.  What is going on here?  Should I block these IPs?  Am I being scanned?  By what?  To what end?

Have you looked into the following postfix directives?

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20


Reply | Threaded
Open this post in threaded view
|

Re: HELO and nothing else

postfix-users-4
In reply to this post by Ron Garret-2

> Hello (not helo :-)
>
> I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to.  One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect.  Sometimes I get this repeated several times a minute from the same IP for hours on end.  What is going on here?  Should I block these IPs?  Am I being scanned?  By what?  To what end?
>
Maybe this could be some Spam prevention systems. Some systems try to
reach the MX of a domain (like
https://www.rspamd.com/doc/modules/mx_check.html)
> Thanks,
> rg
>