• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

[sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" logs

fonz

Son of Beastie

Thanks: 366
Messages: 2,562

#1
My mailserver's logs contain lots of the following lines:
Code:
<timestamp> mail sm-mta[62748]: s1H2MWNN062748: foo.bar.com [<IP address>] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
There are over 1,000 such entries from the same hostname/IP within a period of ten minutes or so. Is there any chance this is just a crappy misconfigured server, or is it a spammer trying to abuse my server for relaying?
 

wblock@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 3,558
Messages: 13,856

#2
Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

If it was trying to relay, it would probably have done something. Possibly a misconfigured spambot. I'd firewall and forget. If it turns out they have anything legitimate to say, they can send it through somebody else's working mail server.
 

fonz

Son of Beastie

Thanks: 366
Messages: 2,562

#3
Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

Thanks. vim /etc/pf.conf and service pf restart it is.
 

Chris_H

Aspiring Daemon

Thanks: 111
Messages: 829

#4
Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

FWIW I see those all the time; in fact, for years. The general consensus is that it's a spam(mer|bot) that attempts to "pipeline" the spam from a dictionary's worth of names it hopes to find on your MX. The problem is; they simply open a connection, expecting to be immediately able to start pumping your MX with DATA. In other words; they never wait for the ACK from your MX. That is what ilicits the EXPN/VRFY from your MX.

HTH

--Chris
 

fonz

Son of Beastie

Thanks: 366
Messages: 2,562

#5
Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

@Chris_H, thanks for the background information.
 
Last edited by a moderator:

Chris_H

Aspiring Daemon

Thanks: 111
Messages: 829

#6
Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

You're very welcome, @fonz.

Thank you, too. For all the help you've given me, in the past :)

--Chris
 
Last edited by a moderator:

wblock@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 3,558
Messages: 13,856

#7
Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

fonz said:
Thanks. vim /etc/pf.conf and service pf restart it is.
service pf reload reloads the rules without killing existing connections (like the SSH connection you may be using to change them).
 

Chris_H

Aspiring Daemon

Thanks: 111
Messages: 829

#8
Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

Excellent. That's great to know.

Thanks, @wblock@.

--Chris
 
Last edited by a moderator:

fullauto2012

Active Member

Thanks: 27
Messages: 161

#9
I have had my SMTP server running for 8 hours.
This is how many of these I have.
Is this normal?
is there a better way to keep up with adding all these IPs to my pf.conf that just grepping for them and manually adding?

Code:
root@kif:/usr/local/etc/dovecot # date
Tue Dec 12 09:27:28 EST 2017
root@kif:/usr/local/etc/dovecot # cat /var/log/maillog | grep "did not issue" | cut -d "[" -f 1 -f 3
Dec 12 00:01:00 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:05:06 kif sm-mta[193.70.87.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:09:23 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:13:22 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:17:41 kif sm-mta[95.177.213.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:22:00 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:26:01 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:30:07 kif sm-mta[118.219.45.141] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:34:03 kif sm-mta[178.33.107.200] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:38:12 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:42:33 kif sm-mta[203.191.174.55] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:46:24 kif sm-mta[87.98.131.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:50:39 kif sm-mta[213.156.120.22] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:54:46 kif sm-mta[91.237.124.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:58:59 kif sm-mta[91.237.124.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:03:08 kif sm-mta[170.83.76.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:07:11 kif sm-mta[175.136.232.97] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:12:49 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:15:34 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:19:48 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:24:04 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:28:07 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:36:36 kif sm-mta[82.185.149.169] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:40:47 kif sm-mta[95.177.213.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:44:57 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:49:04 kif sm-mta[185.109.169.71] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:53:13 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:57:29 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:01:38 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:05:50 kif sm-mta[200.49.145.161] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:14:13 kif sm-mta[193.70.87.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:18:17 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:22:28 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:26:34 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:30:40 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:38:58 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:43:04 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:47:44 kif sm-mta[137.101.210.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:51:12 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:55:17 kif sm-mta[41.87.95.33] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:59:15 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:03:24 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:07:29 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:11:36 kif sm-mta[191.248.224.38] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:15:39 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:16:49 kif sm-mta[139.162.99.243] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:19:38 kif sm-mta[41.87.95.33] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:23:41 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:31:41 kif sm-mta[178.33.107.200] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:35:54 kif sm-mta[95.59.137.196] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:39:54 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:44:01 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:48:03 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:52:19 kif sm-mta[41.180.72.44] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:56:24 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:00:28 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:04:42 kif sm-mta[2.42.219.63] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:08:40 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:12:59 kif sm-mta[120.150.227.127] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:17:02 kif sm-mta[202.131.203.163] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:21:12 kif sm-mta[149.135.117.174] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:25:14 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:29:27 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:33:33 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:37:43 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:41:58 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:45:55 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:54:13 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:58:15 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:02:29 kif sm-mta[95.59.137.196] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:06:45 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:10:43 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:15:10 kif sm-mta[200.85.52.74] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:19:01 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:23:14 kif sm-mta[190.216.165.6] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:27:21 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:31:36 kif sm-mta[110.145.123.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:35:45 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:36:13 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:40:17 kif sm-mta[88.23.251.86] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:43:53 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:48:27 kif sm-mta[120.150.227.127] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:52:33 kif sm-mta[110.145.123.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:56:41 kif sm-mta[94.46.187.190] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:00:55 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:05:12 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:09:21 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:13:48 kif sm-mta[88.23.251.86] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:21:42 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:25:53 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:28:21 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:30:14 kif sm-mta[181.49.39.70] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:31:25 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:34:29 kif sm-mta[82.185.149.169] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:34:43 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:37:59 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:38:32 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:41:16 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:42:44 kif sm-mta[200.105.132.238] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:44:42 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:46:57 kif sm-mta[94.46.187.190] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:48:26 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:51:06 kif sm-mta[170.83.76.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:51:51 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:55:11 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:55:22 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:58:53 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:59:27 kif sm-mta[185.109.169.71] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:02:14 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:03:39 kif sm-mta[2.42.219.63] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:05:41 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:07:35 kif sm-mta[190.223.59.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:09:01 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:12:27 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:15:49 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:15:49 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:18:58 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:19:50 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:22:24 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:24:01 kif sm-mta[118.219.45.141] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:25:52 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:28:08 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:29:17 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:32:14 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:32:47 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:36:11 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:36:23 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:40:00 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:40:26 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:43:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:44:19 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:46:36 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:48:34 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:49:59 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:52:43 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:53:21 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:56:35 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:56:49 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:59:48 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:01:01 kif sm-mta[220.130.186.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:03:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:05:06 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:06:34 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:09:28 kif sm-mta[24.139.47.5] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:10:02 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:13:23 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:13:24 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:16:46 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:17:35 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:20:10 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:21:34 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:23:31 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:25:41 kif sm-mta[220.130.186.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:26:57 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:29:46 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:30:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:33:40 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:33:47 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:37:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:37:51 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:40:33 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:42:08 kif sm-mta[24.139.47.5] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:44:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:46:02 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:47:43 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:51:14 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:54:18 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:54:31 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:58:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:58:47 kif sm-mta[137.101.210.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:01:33 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:02:17 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:04:56 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:06:26 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:08:30 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:12:04 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:14:40 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:15:23 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:18:33 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:18:51 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:22:16 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:22:42 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:25:42 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:26:47 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,691

#10

DutchDaemon

Administrator
Staff member
Administrator
Moderator

Thanks: 2,493
Messages: 11,095

#11
Note that these can also be SMTP AUTH attacks, which will not be logged as such if you have no authentication mechanisms set up. blacklistd(8) will pick them right out for you.

Use something like
Code:
[local]
smtp            stream  *       *               *       3       30d
smtps           stream  *       *               *       3       30d
submission      stream  *       *               *       3       30d
in blacklistd.conf. You must use Sendmail from ports with the blacklistd option activated though.
 

fullauto2012

Active Member

Thanks: 27
Messages: 161

#12
But, does security/sshguard monitor and help port 25 SMTP?
All I have found is that it works to suppress bruteforce SSH, for which I already have:

Code:
pass in log quick on $ext_if inet proto tcp from any \
        to { $ext_ip, $localnet } port (OMIT) \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 3/9, \
        overload <bruteforce> flush global)
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator

Thanks: 2,493
Messages: 11,095

#13
sshguard (or Fail2Ban) will not catch these, no; these attacks need to be signalled by the abused application itself, and Sendmail with the blacklistd flag set will actively signal blacklistd to tally an ongoing attack. Sendmail without authentication mechanisms will not log this as an authentication attempt.
 

fullauto2012

Active Member

Thanks: 27
Messages: 161

#14
I am setting up my very FIRST email server. So to say that most of this is over my head is an understatement. EG, although I technically have a working SMTP and POP3, I am still confused as to how this all works. For instance, I am completely confused as to how to configure SMTP authorization and what/how TLS works and why. Is there any 'cut to the chase' documentation either our you can point me to so that I am not forever embarrassing myself on this forum.

What I would like to accomplish by hosting my own email server is to become fairly proficient at installing/configuring sendmail and dovecot while understanding the different auth mechanisms and encryption. In short, I would eventually like to become as well versed at all aspects of FreeBSD hosting as you guys. And I LOVE to read technical documents (it's both a blessing and a curse).
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator

Thanks: 2,493
Messages: 11,095

#15
There is no simple shortcut for reading /usr/share/sendmail/cf/README, and testing with /etc/mail/${hostname}.mc followed by a make all install restart and a tail -f /var/log/maillog. If you want to play with authentication, you will have to use mail/sendmail or package sendmail+tls+sasl2-8.15.2_3.

TLS is mostly out of the box nowadays, unless you want domain-specific certificates. A standard install will put something like this in your .mc file:
Code:
dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
and it will pre-populate your /etc/mail/certs/ directory -- this will enable TLS without too much ado.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,691

#16
But, does security/sshguard monitor and help port 25 SMTP?
It can monitor a variety of services, not just SSH.
https://www.sshguard.net/docs/reference/attack-signatures/

sshguard (or Fail2Ban) will not catch these, no;
Not sure if sshguard will catch this specific attack but Fail2Ban can certainly be made to detect them. In this respect Fail2Ban may actually be the best choice as you can create your own detection rules and trigger on custom events.
 

fullauto2012

Active Member

Thanks: 27
Messages: 161

#17
This is going to come off as a bit juvenile, but how is the overhead on Fail2Ban? This rig is is already painfully slow responding to POP3/SMTP as it is.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,691

#18
Not that much, but it's going to depend on the number and complexity of the rules. It does have a bunch of Python dependencies though.

This rig is is already painfully slow responding to POP3/SMTP as it is.
That may be the result of all the scans and attempts to relay or bruteforce. Blocking those may improve the situation.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,691

#20

DutchDaemon

Administrator
Staff member
Administrator
Moderator

Thanks: 2,493
Messages: 11,095

#21
No, that's exactly the message I was referring to; it is impossible to deduct from that error message that it was in fact a failed authentication attempt against a non-authenticating Sendmail - the exact same error message is produced by e.g. a Zabbix agent that queries the host for the availability of port 25 or by a port scan for ports like 25 or 587. Triggering a block on the mere presence of "MAIL/EXPN/VRFY/ETRN" in a maillog will lead to "interesting false positives", and I've been there .. So be careful out there ..
 

Chris_H

Aspiring Daemon

Thanks: 111
Messages: 829

#22
fullauto2012 ,
I feel your pain! I've been fighting serious MX abuse for about 4 half mos, now. In that time I have accumulated ~12 million SPAM/ABUSE sources! Who knew I'd be such a popular target! :p
Anyway I swear by pf(4) as the difinitive defense against NET related abuse. Not only does it turn the abusers off, it squelches all (most) of the noise in your log(s), and trims traffic; giving you more of that pipe for yourself. Anyway I'll try to give some clues to creating the necessary pf(4) stuff you'll need/want, as well as some scripting to help you automate the entire process. :)
first up; you'll want to gather the offending IP's from your maillog, without plucking them out manually in your log viewer.
Based on the log output you've posted here; the following should do it for you:
Code:
#!/bin/sh -

cat /var/log/maillog | grep 'did not issue' | awk '{print $5;}' | sed 's/sm-mta\[//' | sed 's/\]//' | sort -t. +0 -1n +1 -2n +2 -3n +3 -4n | uniq >./SPAMMERS
I'd strongly recommend running this from the /tmp folder/directory. So you can experiment, and ensure that it's capturing the addresses properly. If all goes well. Report back, and we'll move on to the next step(s); a pf.conf(5) file, and all the related goodies. OH! I mean report back regardless. :)
Ultimately, the above script will gather all the offending IP's, and sort them in a more readable fashoin, where we can ultimately add them to a TABLE for pf(4) to read, so it can deal with them in a manner you find appropriate. :D

HTH

--Chris