Throttling bursts of connections at postscreen? More to do here?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Throttling bursts of connections at postscreen? More to do here?

yodeller
Every few hours I get bursts of these from random addresses -- always at "poneytelecom.eu" (online.net)

Communicating with abuse@ online.net/poneytelecom.eu is a lost cause.  They're completely useless.

Is postscreen doing its "best" job here at reducing load?  It's clearly not passing the attempts through.

I'm just wondering if there's any throttling or something else to here?

        Sep  6 03:22:20 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:53039 to [192.0.2.1]:25
        Sep  6 03:22:20 cont03 postfix/dnsblog[35436]: addr 62.210.140.7 listed by domain zen.spamhaus.org as 127.0.0.4
        Sep  6 03:22:20 cont03 postfix/postscreen[35432]: PREGREET 14 after 0.14 from [62.210.140.7]:53039: EHLO mdb3Fue\r\n
        Sep  6 03:22:20 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:53039
        Sep  6 03:22:21 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:65108 to [192.0.2.1]:25
        Sep  6 03:22:21 cont03 postfix/dnsblog[35434]: addr 62.210.140.7 listed by domain zen.spamhaus.org as 127.0.0.4
        Sep  6 03:22:21 cont03 postfix/postscreen[35432]: PREGREET 14 after 0.15 from [62.210.140.7]:65108: EHLO lO0RVZU\r\n
        Sep  6 03:22:21 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:65108
        Sep  6 03:22:21 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:61166 to [192.0.2.1]:25
        Sep  6 03:22:21 cont03 postfix/dnsblog[35437]: addr 62.210.140.7 listed by domain zen.spamhaus.org as 127.0.0.4
        Sep  6 03:22:21 cont03 postfix/postscreen[35432]: PREGREET 15 after 0.16 from [62.210.140.7]:61166: EHLO w2z7WmCG\r\n
        Sep  6 03:22:21 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:61166
        Sep  6 03:22:22 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:62585 to [192.0.2.1]:25
        Sep  6 03:22:22 cont03 postfix/dnsblog[35437]: addr 62.210.140.7 listed by domain zen.spamhaus.org as 127.0.0.4
        Sep  6 03:22:22 cont03 postfix/postscreen[35432]: PREGREET 16 after 0.15 from [62.210.140.7]:62585: EHLO dtcgZI6oA\r\n
        Sep  6 03:22:22 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:62585
        Sep  6 03:22:22 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:58322 to [192.0.2.1]:25
        ...
        MANY HUNDREDS MORE
        ...
        Sep  6 03:24:02 cont03 postfix/postscreen[35432]: PREGREET 17 after 0.16 from [62.210.140.7]:65061: EHLO O0uHWZVJd5\r\n
        Sep  6 03:24:02 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:65061
        Sep  6 03:24:02 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:64305 to [192.0.2.1]:25
        Sep  6 03:24:02 cont03 postfix/dnsblog[35433]: addr 62.210.140.7 listed by domain zen.spamhaus.org as 127.0.0.4
        Sep  6 03:24:02 cont03 postfix/postscreen[35432]: PREGREET 16 after 0.14 from [62.210.140.7]:64305: EHLO FG3aXs6pz\r\n
        Sep  6 03:24:02 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:64305
        Sep  6 03:24:02 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:64252 to [192.0.2.1]:25
        Sep  6 03:24:02 cont03 postfix/dnsblog[35438]: addr 62.210.140.7 listed by domain zen.spamhaus.org as 127.0.0.4
        Sep  6 03:24:03 cont03 postfix/postscreen[35432]: PREGREET 15 after 0.15 from [62.210.140.7]:64252: EHLO cGD5sIof\r\n
        Sep  6 03:24:03 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:64252
        Sep  6 03:24:03 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:59911 to [192.0.2.1]:25
        Sep  6 03:24:03 cont03 postfix/dnsblog[35436]: addr 62.210.140.7 listed by domain zen.spamhaus.org as 127.0.0.4
        Sep  6 03:24:03 cont03 postfix/postscreen[35432]: PREGREET 16 after 0.15 from [62.210.140.7]:59911: EHLO 9D4ZAcsJk\r\n
        Sep  6 03:24:03 cont03 postfix/postscreen[35432]: DISCONNECT [62.210.140.7]:59911
        Sep  6 03:24:03 cont03 postfix/postscreen[35432]: CONNECT from [62.210.140.7]:61102 to [192.0.2.1]:25
Reply | Threaded
Open this post in threaded view
|

Re: Throttling bursts of connections at postscreen? More to do here?

Wietse Venema
[hidden email]:
> Every few hours I get bursts of these from random addresses -- always at "poneytelecom.eu" (online.net)
>
> Communicating with abuse@ online.net/poneytelecom.eu is a lost cause.  They're completely useless.
>
> Is postscreen doing its "best" job here at reducing load?  It's clearly not passing the attempts through.

So, postscreen is doing its job.

> I'm just wondering if there's any throttling or something else to here?

Why bother? It's doing exactly what it was meant to do; one postscreen
process keeps the zombies away from Postfix SMTP server processes.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Throttling bursts of connections at postscreen? More to do here?

@lbutlr
In reply to this post by yodeller
On 09 Sep 2017, at 11:19, [hidden email] wrote:
> I'm just wondering if there's any throttling or something else to here?

This is only a "problem" because you are looking at it.

Yes, there are lots of log lines, but all they show is that this person is being kept out of your mail server nearly the instant the connection is made.

Is there anything more you could do? Not really. If you really want the log lines to go away you could put in a DENY in your hosts table, but if you do that you're going to be doing it A LOT.

Easiest way to solve the "problem" is to not look at it.

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|

Re: Throttling bursts of connections at postscreen? More to do here?

Kris Deugau
@lbutlr wrote:
> Is there anything more you could do? Not really. If you really want the log lines to go away you could put in a DENY in your hosts table, but if you do that you're going to be doing it A LOT.

*nod*  If there's only one persistent host, it may be worth blocking at
some higher level (I'm partial to "iptables -j DENY") but if the
connections aren't resulting in spam actually arriving at some mailbox
on your system the only "problem" is the volume of log data.

-kgd
Reply | Threaded
Open this post in threaded view
|

Re: Throttling bursts of connections at postscreen? More to do here?

/dev/rob0
On Mon, Sep 11, 2017 at 10:50:56AM -0400, Kris Deugau wrote:
> @lbutlr wrote:
> > Is there anything more you could do? Not really. If you really
> > want the log lines to go away you could put in a DENY in your
> > hosts table, but if you do that you're going to be doing it A
> > LOT.

Note that hosts_access(5) / tcpd(8) won't be much less than
postscreen itself.  You'd still have the TCP connection.  Also,
postscreen here is not linked against libwrap.  I'm not sure if
Postfix supports it?

> *nod* If there's only one persistent host, it may be worth
> blocking at some higher level (I'm partial to "iptables -j DENY")

<mode=pedant> There's no native DENY target in iptables.  There is
"DROP", a built-in target, and "REJECT", a target extension with
various options for ICMP rejections to send. </mode>

> but if the connections aren't resulting in spam actually
> arriving at some mailbox on your system the only "problem" is
> the volume of log data.

Right.  Firewall blocking (perhaps via some mechanism like fail2ban
+ ipset) isn't a bad idea, but it's certainly not necessary.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Throttling bursts of connections at postscreen? More to do here?

yodeller
> > > Is there anything more you could do? Not really. If you really
> > > want the log lines to go away you could put in a DENY in your
> > > hosts table, but if you do that you're going to be doing it A
> > > LOT.

I wanted to know if these were overloading Postfix.  Sounds like a no.

Also sounds like just Postscreen is dealing with these with no problem, and no resource overload.

And, I've put in place fail2ban + ipset to "shut these up" too.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Throttling bursts of connections at postscreen? More to do here?

@lbutlr
In reply to this post by /dev/rob0
On 11 Sep 2017, at 10:24, /dev/rob0 <[hidden email]> wrote:
> <mode=pedant>

Surely <mode class="pedant">?

(runs)

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.