From: Tony Earnshaw (tonnihetnet.nl)
Date: Mon Jan 01 2007 - 08:28:43 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Len Conrad wrote:

>> In last 2 weeks i am noticing enormous amounts of strange connections
>> to mail server from all over the world. An example from logs:
>
> "lost connection after" is perfectly normal for us. eg, for Sunday:
>
> mx1# zegrep ": lost connection after " /var/log/maillog.[0].gz | awk
> '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
> 394391 RCPT
> 129629 EHLO
> 68807 CONNECT
> 2599 HELO
> 1820 DATA
> 1687 MAIL
> 519 RSET
> 102 NOOP
> 24 UNKNOWN
> 1 VRFY
> 1 QUIT
>
> and for a weekday last week:
>
> mx1# zegrep ": lost connection after " /var/log/maillog.[5].gz | awk
> '{print $9}' | sort -f | uniq -ic | sort -rfgn | less
> 818589 RCPT
> 114880 CONNECT
> 100362 EHLO
> 2783 DATA
> 2195 HELO
> 2182 MAIL
> 522 RSET
> 159 NOOP
> 23 UNKNOWN
> 2 VRFY
> 1 QUIT
>
> and for the 5.gz day:
>
> mx1# zegrep -ic ": connect from" /var/log/maillog.[5].gz
> 2906441
>
> mx1# zegrep -ic ": disconnect from" /var/log/maillog.[5].gz
> 2899136

In fact, OP's transaction specifically showed the MTA objecting to the
client issuing a HELO without data, after which OP's server (quite
rightly) gave a syntax error after the client went on to give a MAIL FROM:

The bot software was left in confusion and borked.

It isn't so much a "lost connection" problem as a specific b0rked bot
HELO problem.

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet.nl

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]