Postscreen als "Teergrube"
J. Fahrner
jf at fahrner.name
So Mär 6 21:37:01 CET 2016
Hallo,
ist es möglich, postscreen so zu konfigurieren, dass es vor einem
Disconnect die Verbindung noch eine Weile bestehen lässt, um den
Angreifer eine Weile zu beschäftigen?
Hintergrund: ich sehe gerade in meinem Log folgende Versuche Spam abzuladen:
Mar 6 12:20:23 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62525 to [78.47.47.89]:25
Mar 6 12:20:23 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62525: EHLO ylmf-pc\r\n
Mar 6 12:20:24 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62525
Mar 6 12:20:24 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62525 in tests after SMTP handshake
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62525
Mar 6 12:20:24 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62604 to [78.47.47.89]:25
Mar 6 12:20:24 s3 postfix/dnsblog[13901]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:24 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62604: EHLO ylmf-pc\r\n
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62604
Mar 6 12:20:24 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62604 in tests after SMTP handshake
Mar 6 12:20:24 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62604
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62618 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62618: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62618
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62618 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62618
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62631 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13900]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62631: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62631
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62631 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62631
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62642 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62642: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62642
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62642 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62642
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62649 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62649: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62649
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62649 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62649
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62665 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62665: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62665
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62665 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62665
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62680 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62680: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62680
Mar 6 12:20:25 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62680 in tests after SMTP handshake
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62680
Mar 6 12:20:25 s3 postfix/postscreen[13898]: CONNECT from [109.160.96.102]:62692 to [78.47.47.89]:25
Mar 6 12:20:25 s3 postfix/dnsblog[13899]: addr 109.160.96.102 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 6 12:20:25 s3 postfix/postscreen[13898]: PREGREET 14 after 0.04 from [109.160.96.102]:62692: EHLO ylmf-pc\r\n
Mar 6 12:20:25 s3 postfix/postscreen[13898]: DNSBL rank 2 for [109.160.96.102]:62692
Mar 6 12:20:26 s3 postfix/postscreen[13898]: HANGUP after 0.08 from [109.160.96.102]:62692 in tests after SMTP handshake
Mar 6 12:20:26 s3 postfix/postscreen[13898]: DISCONNECT [109.160.96.102]:62692
Bevor mein fail2ban die Chance hatte die IP zu blocken, hat der Spammer
schon etliche Wiederholungsversuche gemacht. Das möchte ich ein bisschen
hinauszögern. Kein Spammer soll mehr als 3 Versuche bekommen. ;-)
Gruss
Jochen
Mehr Informationen über die Mailingliste postfix-users