Sporadic, repeated connections from aws

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Sporadic, repeated connections from aws

@lbutlr
I've had the following in my fqrdns.pcre checks for quite awhile:

/^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT  Generic - Please relay via ISP (amazonaws.com)

And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).

Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).

Am I right in blocking these connections? Is there any reason for an aws server to be sending mail directly that I am overlooking?

(the fqrdns.pcre file is a file I downloaded several years back and have made occasional modifications too, so I am not sure if this was something I added or part of the original file, though I suspect the latter)


--
And what rough beast, its hour come round at last,
Slouches towards Bethlehem to be born?


Reply | Threaded
Open this post in threaded view
|

Re: Sporadic, repeated connections from aws

Noel Jones-2
On 4/27/2019 2:15 PM, @lbutlr wrote:
> I've had the following in my fqrdns.pcre checks for quite awhile:
>
> /^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT  Generic - Please relay via ISP (amazonaws.com)

Yes, that's in the fqrdns.pcre download


>
> And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).

I don't notice bursts like that, but that doesn't sound like ham.  A
quick browse through my aws rejects doesn't show anything that looks
like wanted mail, but that's just guessing from the sender domain.

>
> Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).

Postfix will log all rejects.  Are you maybe filtering your log file
somehow?


>
> Am I right in blocking these connections? Is there any reason for an aws server to be sending mail directly that I am overlooking?

Probably ok to block these.  Generic aws servers may not be 100%
spam, but I think it's pretty close.

>
> (the fqrdns.pcre file is a file I downloaded several years back and have made occasional modifications too, so I am not sure if this was something I added or part of the original file, though I suspect the latter)

I still use the fqrdns.pcre too, and I can't remember the last false
negative when it rejected good mail.  But its effectiveness has
slipped lately, I guess because (my)? spammers seem to have mostly
moved to hijacking legit servers and email accounts, and/or
postscreen catches them before they get to smtpd.  It still seems safe.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Sporadic, repeated connections from aws

@lbutlr
On Apr 27, 2019, at 20:15, Noel Jones <[hidden email]> wrote:
>
> I still use the fqrdns.pcre too, and I can't remember the last false negative when it rejected good mail.

Thanks. That’s what I suspected, but confirmation is good to have.

--
This is my signature. There are many like it, but this one is mine.
Reply | Threaded
Open this post in threaded view
|

Re: Sporadic, repeated connections from aws

Dominic Raferd


On Sun, 28 Apr 2019 at 07:25, @lbutlr <[hidden email]> wrote:
On Apr 27, 2019, at 20:15, Noel Jones <[hidden email]> wrote:
>
> I still use the fqrdns.pcre too, and I can't remember the last false negative when it rejected good mail.

Thanks. That’s what I suspected, but confirmation is good to have.

I use it, and fqrdns-plus.pcre and fqrdns-max.pcre without fns AFAIK. Anyone have a different experience with these?
Reply | Threaded
Open this post in threaded view
|

Re: Sporadic, repeated connections from aws

Kris Deugau
In reply to this post by @lbutlr
@lbutlr wrote:
> I've had the following in my fqrdns.pcre checks for quite awhile:
>
> /^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT  Generic - Please relay via ISP (amazonaws.com)
>
> And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).
>
> Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).
>
> Am I right in blocking these connections? Is there any reason for an aws server to be sending mail directly that I am overlooking?

IMO this *should* be absolutely completely 100% correct and safe.  (Also
IMO, Amazon should actively block outbound direct-to-MX connections from
these IP ranges in much the same way most ISPs block direct-to-MX mail
from their dynamic connection IP ranges.)

Unfortunately many people with AWS services either don't agree, or more
likely don't know what their mail ends up looking like from the spam
control perspective, because I see a modest but regular flow of
legitimate mail from Amazon compute nodes.  :(

A quick sampling of our FP archive and mail logs shows a seed company, a
political something, a propane/fuel supply company, several smallish web
forums, a smallish payment processing company, and several apps.

I'm pretty sure I've seen mail from nearby IP ranges that have had
"proper" (ie, user-specific) reverse DNS applied, so clearly there's a
mechanism for Amazon VPS customers to do it right.

Amazon doesn't make life easier by insisting in their abuse reporting
form that IP assignments are highly volatile;  there's next to no way to
tell, for sure, from the outside, whether a given Amazon IP is part of
their static IP pool for long-running VPSes, or part of their "compute
power for hire" cloud, which may change "ownership" several times in an
hour.  Or even if they actually maintain separate IP pools for these
functions - possibly they don't.

-kgd