Frequent&Annoying smtpd/smtp-in connections with 503 5.5.1 from GTT.NET

[toorski]

I run my own smtpd server, direct:
11.2-RELEASE FreeBSD with OpenSMTPD 5.9.2p1 – in jail

with the following, partial output, smtpd.conf

listen on localhost port 25
listen on em0 port 587 tls pki  mydomain.com hostname  mydomain.com auth-optional
listen on em0 smtps pki mydomain.com hostname mydomain.com auth

The server works fine, according to me&I I can communicate and exchange email with smtpd servers world-wide.

But, I do get flooded with unexpected connections (all day&night), only from these 2 IP(s) that belong to gtt.net

Apr 21 19:01:09 webhost smtpd[48748]: smtp-in: Received disconnect from session 245cf35649a290f6
Apr 21 19:05:50 webhost smtpd[48748]: smtp-in: New session 245cf3594b63769b from host 185.234.217.188 [185.234.217.188]
Apr 21 19:05:51 webhost smtpd[48748]: smtp-in: Failed command on session 245cf3594b63769b: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported
Apr 21 19:05:51 webhost smtpd[48748]: smtp-in: Received disconnect from session 245cf3594b63769b
Apr 21 19:07:22 webhost smtpd[48748]: smtp-in: New session 245cf35c4f541cf6 from host 185.234.216.164 [185.234.216.164]
Apr 21 19:07:23 webhost smtpd[48748]: smtp-in: Failed command on session 245cf35c4f541cf6: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported
Apr 21 19:07:23 webhost smtpd[48748]: smtp-in: Received disconnect from session 245cf35c4f541cf6
Apr 21 19:12:01 webhost smtpd[48748]: smtp-in: New session 245cf35f9ed36b77 from host 185.234.217.188 [185.234.217.188]
Apr 21 19:12:02 webhost smtpd[48748]: smtp-in: Failed command on session 245cf35f9ed36b77: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported
Apr 21 19:12:02 webhost smtpd[48748]: smtp-in: Received disconnect from session 245cf35f9ed36b77
Apr 21 19:13:33 webhost smtpd[48748]: smtp-in: New session 245cf36277fa40e6 from host 185.234.216.164 [185.234.216.164]
Apr 21 19:13:33 webhost smtpd[48748]: smtp-in: Failed command on session 245cf36277fa40e6: "AUTH LOGIN" => 503 5.5.1 Invalid command: Command not supported

I wonder why?

 

[Datapanic]

Set up pf and fail2ban and block them.

 

[SirDice]

I wonder why?

These are bots looking for an easy way in. Any service you open will get hit by a multitude of bots and malware within a couple of minutes. Welcome to the internet.

 

[toorski]

I know that the annoying smtp-in connections are searching for open relay. But, why the dumb bots or hacktards can't learn through AI that if they try 2 times and it doesn't work, another 100 tries won't work either. My mail server has only 2 options - yes or no! LOL

Welcome to TCP/IP, the half broken (by design) communication network, a.k.a Internet, released for public use by the rulers. “IT” is yet another communication medium, after smoke signals, sound signals, light signals, telegraph and telephone, that offers the “who where and what” for those who want to know. Some tried all types of tricks to prevent others from decoding their “whwhwh” messages, but it always failed, despite differences in various languages used around the world, encoding methods, means of delivery and cooperating weather conditions - hehe

As to Internet’s who, when, where and why, here it is:

Google Drive: Sign-in

Access Google Drive with a Google account (for personal use) or Google Workspace account (for business use).

drive.google.com

 

[SirDice]

But, why the dumb bots or hacktards can't learn through AI that if they try 2 times and it doesn't work, another 100 tries won't work either.

Bots are typically small, simple creatures. Bots don't care if it doesn't work. I've seen bots fire off Windows IIS exploits on an Apache server and vice versa. Bots will poke until they run out of things to try. Even if one in a million attacks succeeds the bot will propagate itself. Statistics does the rest.