What are these types trying to do?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

What are these types trying to do?

Gerben Wierda
Now that Finally have a postfix back with actual logging, I noticed this in my log:

Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25
Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1
Dec 30 23:26:10 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49631 to [192.168.2.66]:25
Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.25 from [182.99.42.88]:49631: EHLO ylmf-pc\r\n
Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
Dec 30 23:26:11 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
Dec 30 23:26:11 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1
Dec 30 23:26:14 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49966 to [192.168.2.66]:25
Dec 30 23:26:14 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49966: EHLO ylmf-pc\r\n
Dec 30 23:26:14 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
Dec 30 23:26:14 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
Dec 30 23:26:14 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1
Dec 30 23:26:18 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:50289 to [192.168.2.66]:25
Dec 30 23:26:18 mail postfix/postscreen[16020]: PREGREET 14 after 0.25 from [182.99.42.88]:50289: EHLO ylmf-pc\r\n
Dec 30 23:26:18 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
Dec 30 23:26:18 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
Dec 30 23:26:18 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1

And then lots of this. It goes on and on and on.

I was wondering (just curious) what these (Chinese) types are actually trying to do. It looks like polling based on the expectation that some other payload has corrupted my postfix. But I’m curious to what it really is (if known).

(Time to set a pf rule set on geolocation, I guess)

G

Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Viktor Dukhovni
On Mon, Dec 30, 2019 at 11:32:11PM +0100, Gerben Wierda wrote:

> Now that Finally have a postfix back with actual logging, I noticed this in my log:
>
> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25
> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
> Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1

Are the smtpd(8) connections on a different port?  One might expect
postscreen to block clients that send EHLO before the greeting is
received.

> And then lots of this. It goes on and on and on.

Welcome to the Internet...

> I was wondering (just curious) what these (Chinese) types are actually
> trying to do. It looks like polling based on the expectation that some
> other payload has corrupted my postfix. But I’m curious to what it
> really is (if known).

It doesn't matter.

> (Time to set a pf rule set on geolocation, I guess)

I wouldn't bother, but since the host has no PTR record you can,
just in case, add:

    reject_unknown_reverse_client_hostname

to your smtpd_client_restrictions.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

allenc
In reply to this post by Gerben Wierda


On 30/12/2019 22:32, Gerben Wierda wrote:
> Now that Finally have a postfix back with actual logging, I noticed this in my log:
>
> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25
> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
> Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]

<< etc >>

if you set the parameter

postscreen_greet_action = ENFORCE, or
postscreen_greet_action = DROP

these connections will be held back by postscreen, and will not actually reach
postfix.

The ENFORCE option will collect the (envelope) FROM and TO addresses for stats
purposes, if they are proffered.

Hope this helps

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Benny Pedersen-2
In reply to this post by Viktor Dukhovni
Viktor Dukhovni skrev den 2019-12-30 23:46:

>> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from
>> [182.99.42.88]:49546 to [192.168.2.66]:25
>> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26
>> from [182.99.42.88]:49546: EHLO ylmf-pc\r\n

https://blog.sys4.de/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp-de.html

to remove noice in log files

# cat shorewall-rules
?SECTION ESTABLISHED
DROP net $FW tcp 25;;-m string --algo bm --string "EHLO ylmf-pc"
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Wietse Venema
In reply to this post by Gerben Wierda
Gerben Wierda:
> Now that Finally have a postfix back with actual logging, I noticed this in my log:
>
> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25
> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
> Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1

This a very common spambot. Postfix sends

        220-$smtpd_banner

and it talks before its turn with:

         EHLO ylmf-pc

These bots are very stupid and very persistent. My maillog file for
today has 3500 of these, and that is with 6 more hours to go.

> I was wondering (just curious) what these (Chinese) types are
> actually trying to do.

Trying to send spam, with a borked SMTP implementation. This is
the most common postscreen pregreet pattern.

> It looks like polling based on the expectation that some other
> payload has corrupted my postfix. But I?m curious to what it really
> is (if known).

You are vastly overestimating this spambot.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Gerben Wierda
In reply to this post by Viktor Dukhovni

On 30 Dec 2019, at 23:46, Viktor Dukhovni <[hidden email]> wrote:

On Mon, Dec 30, 2019 at 11:32:11PM +0100, Gerben Wierda wrote:

Now that Finally have a postfix back with actual logging, I noticed this in my log:

Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25
Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1

Are the smtpd(8) connections on a different port?  One might expect
postscreen to block clients that send EHLO before the greeting is
received.


# SMTP on port 25, handled by postscreen before passing it on to
# smtpd
smtp      inet  n       -       n       -       1       postscreen
# smtpd, which listens on /opt/local/var/spool/postfix/smtpd
smtpd     pass  -       -       n       -       -       smtpd
#  -o receive_override_options=no_address_mappings
# dnsblog, which listens on /opt/local/var/spool/postfix/dnsblog
dnsblog   unix  -       -       n       -       0       dnsblog
# tlsproxy, which listens on /opt/local/var/spool/postfix/tlsproxy
tlsproxy  unix  -       -       n       -       0       tlsproxy
# submission which listens on port 587:
# TLS and authentication are required on this port
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o syslog_name=submission


So, postscreen gets the smtp connection (port 25). smtpd listens directly on the submission port. (I have been wondering to use 465 again, since IANA has reassigned it for secure SMTP).

And then lots of this. It goes on and on and on.

Welcome to the Internet…

Since 1990-1991 ;-)

I know.


I was wondering (just curious) what these (Chinese) types are actually
trying to do. It looks like polling based on the expectation that some
other payload has corrupted my postfix. But I’m curious to what it
really is (if known).

It doesn't matter.

(Time to set a pf rule set on geolocation, I guess)

I wouldn't bother, but since the host has no PTR record you can,
just in case, add:

   reject_unknown_reverse_client_hostname

to your smtpd_client_restrictions.

Yes. Hmm, does that come with a big risk for stopping legitimate mail? Probably yes given the amount of poorly written smtp clients on web sites.


--
   Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Wietse Venema
In reply to this post by Wietse Venema
Wietse Venema:

> Gerben Wierda:
> > Now that Finally have a postfix back with actual logging, I noticed this in my log:
> >
> > Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25
> > Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
> > Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
> > Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
> > Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from unknown[182.99.42.88] ehlo=1 commands=1
>
> This a very common spambot. Postfix sends
>
> 220-$smtpd_banner
>
> and it talks before its turn with:
>
> EHLO ylmf-pc
>
> These bots are very stupid and very persistent. My maillog file for
> today has 3500 of these, and that is with 6 more hours to go.

Oh, and I do ENFORCE the pregreet test, so these bots never get
to talk to a Postfix SMTP daemon.

        Wietse

> > I was wondering (just curious) what these (Chinese) types are
> > actually trying to do.
>
> Trying to send spam, with a borked SMTP implementation. This is
> the most common postscreen pregreet pattern.
>
> > It looks like polling based on the expectation that some other
> > payload has corrupted my postfix. But I?m curious to what it really
> > is (if known).
>
> You are vastly overestimating this spambot.
>
> Wietse
>
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Viktor Dukhovni
In reply to this post by Gerben Wierda
On Tue, Dec 31, 2019 at 12:20:58AM +0100, Gerben Wierda wrote:

> > since the host has no PTR record you can, just in case, add:
> >
> >    reject_unknown_reverse_client_hostname
> >
> > to your smtpd_client_restrictions.
>
> Yes. Hmm, does that come with a big risk for stopping legitimate mail?
> Probably yes given the amount of poorly written smtp clients on web
> sites.

Actually, requiring remote SMTP clients to have a PTR record is
reasonably safe.  The less safe version, that is not recommended, is
requiring that PTR record to also forward resolve to the connecting IP
address.

Of course you could be unlucky enough to receive important email from
such clients, but that is not at all common, and such senders would
already be blocked at most SMTP servers on the public Internet.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Gerben Wierda
In reply to this post by allenc

> On 31 Dec 2019, at 00:11, Allen Coates <[hidden email]> wrote:
>
>
>
> On 30/12/2019 22:32, Gerben Wierda wrote:
>> Now that Finally have a postfix back with actual logging, I noticed this in my log:
>>
>> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25
>> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
>> Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
>> Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from unknown[182.99.42.88]
>
> << etc >>
>
> if you set the parameter
>
> postscreen_greet_action = ENFORCE, or

I’ve done this as well as the  reject_unknown_reverse_client_hostname

G
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Gerben Wierda
In reply to this post by Wietse Venema
On 31 Dec 2019, at 00:24, Wietse Venema <[hidden email]> wrote:

These bots are very stupid and very persistent. My maillog file for
today has 3500 of these, and that is with 6 more hours to go.


9500 in 13 hours here. With the new settings (ENFORCE) smtpd is spared but I still have this junk in my log

Definitely going to look into pf and blocking geolocations.

G
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Viktor Dukhovni
On Tue, Dec 31, 2019 at 01:50:43AM +0100, Gerben Wierda wrote:

> 9500 in 13 hours here. With the new settings (ENFORCE) smtpd is spared but I
> still have this junk in my log
>
> Definitely going to look into pf and blocking geolocations.

Accumulation of a pile of ad-hoc filter rules makes your MTA brittle
over time.  My advice is to just ignore the noise in the logs, there'll
always be new noise.  Just let it go.  Postscreen is working for you,
without custom rules for each new source.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: What are these types trying to do?

Darac Marjal
In reply to this post by Benny Pedersen-2

On 30/12/2019 23:12, Benny Pedersen wrote:

> Viktor Dukhovni skrev den 2019-12-30 23:46:
>
>>> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from
>>> [182.99.42.88]:49546 to [192.168.2.66]:25
>>> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after
>>> 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n
>
> https://blog.sys4.de/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp-de.html
>
>
> to remove noice in log files
>
> # cat shorewall-rules
> ?SECTION ESTABLISHED
> DROP net $FW tcp 25;;-m string --algo bm --string "EHLO ylmf-pc"
Thank you.


signature.asc (849 bytes) Download Attachment