Mailing List CGatePro@mail.stalker.com Message #106220
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: Re: Pre-prompt data: dropped
Date: Sun, 16 Oct 2016 19:36:35 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (1.9.5r5263)
On 15 Oct 2016, at 4:54, Gib Henry wrote:

Is anyone else seeing a tsunami of these?

00:57:04.366 1 SMTPI-000228([180.222.157.66]:23988) dropping: got pre-prompt data:

I’ve seen these occasionally before, but now I’m getting dozens a day. They’re coming from all over the place, lots of different IP addresses, some of which repeat 2-5 times a day. I suppose they’re harmless, but…?

A tsunami of DOZENS per day? Heaven forfend!

Here are the monthly counts of pre-greeting hits from a tiny personal server. It's running Postfix, not CGP, but the feature is similar and Postfix is only waiting 6 seconds:

Aug 2014: 16405
Sep 2014: 38327
Oct 2014: 24047
Nov 2014: 64949
Dec 2014: 36515
Jan 2015: 29798
Feb 2015: 57430
Mar 2015: 109272
Apr 2015: 66531
May 2015: 44836
Jun 2015: 4006
Jul 2015: 3511
Aug 2015: 4786
Sep 2015: 4607
Oct 2015: 3703
Nov 2015: 4576
Dec 2015: 5026
Jan 2016: 4404
Feb 2016: 5355
Mar 2016: 6539
Apr 2016: 4516
May 2016: 20429
Jun 2016: 3318
Jul 2016: 3314
Aug 2016: 5160
Sep 2016: 2957
Oct 2016: 1438

So, what happened in Spring of 2015? In April I started to add offending IPs to the local (ipfw) firewall by hand in weekly then daily batches. In June I created an automated log-watcher akin to fail2ban but just to block SMTP fast-talkers on first offense. Unfortunately that takes about a second to act, so the numbers since aren't ~100 new offenders daily but rather ~10 daily, each getting many sessions up in the time it takes for the first one to trigger the firewall rule. The spike this May was a system crash where I took ~12 hours to rebuild the full firewall ruleset.

And yes, such connections are ALWAYS botspam. No legitimate sender starts sending data before getting a greeting banner because for a dozen years it has broadly not worked to do so (ever since a few months after Sendmail introduced a GreetPause option). Machines doing this are owned by malware & are spreading malware. Offer no quarter...
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster