Distributed authenticated smtp scanning / 2019-03-22

2019-03-22 Distributed authenticated smtp scanning 3 months ago
I noticed a lot of entries in my mail logging about aborted smtp transactions
Mar 22 21:04:04 gosper sm-mta[30180]: x2MK437r030180: [193.169.254.68] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:04:58 gosper sm-mta[30229]: x2MK4vv0030229: [185.234.217.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:05:25 gosper sm-mta[30307]: x2MK5Oas030307: [193.169.254.68] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:06:01 gosper sm-mta[30328]: x2MK5xAc030328: [185.234.217.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:06:02 gosper sm-mta[30331]: x2MK5xg5030331: [185.222.209.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6
And I wondered what was going on, until I did a capture of the session and had a look:
    1   0.000000 185.234.217.222 → 82.95.196.202 TCP 68 55448 → 25 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
    2   0.000314 82.95.196.202 → 185.234.217.222 TCP 68 25 → 55448 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
    3   0.034751 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [ACK] Seq=1 Ack=1 Win=65536 Len=0
    4   6.038967 82.95.196.202 → 185.234.217.222 SMTP 395 S: 220-gosper.idefix.net ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Fri, 22 Mar 2019 21:00:55 +0100; (No UCE/UBE) | 220-   This is a private SMTP server. | 220-   The use of this or any related system for the transmission of | 220-   Unsollicited Bulk E-mail (UBE) is prohibited. | 220 logging access from: [185.234.217.222](FAIL)-[185.234.217.222]
    5   6.072501 185.234.217.222 → 82.95.196.202 SMTP 76 C: EHLO 82.95.196.202
    6   6.072915 82.95.196.202 → 185.234.217.222 TCP 56 25 → 55448 [ACK] Seq=340 Ack=21 Win=29312 Len=0
    7   6.073011 82.95.196.202 → 185.234.217.222 SMTP 267 S: 250-gosper.idefix.net Hello [185.234.217.222], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-EXPN | 250-VERB | 250-8BITMIME | 250-SIZE | 250-DSN | 250-ETRN | 250-STARTTLS | 250-DELIVERBY | 250 HELP
    8   6.106154 185.234.217.222 → 82.95.196.202 SMTP 68 C: AUTH LOGIN
    9   6.106585 82.95.196.202 → 185.234.217.222 SMTP 86 S: 503 5.3.3 AUTH not available
   10   6.141445 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [FIN, ACK] Seq=33 Ack=581 Win=65024 Len=0
   11   6.141775 82.95.196.202 → 185.234.217.222 TCP 56 25 → 55448 [FIN, ACK] Seq=581 Ack=34 Win=29312 Len=0
   12   6.174430 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [ACK] Seq=34 Ack=582 Win=65024 Len=0
Each session starts ESMTP and even with the ESMTP reply not listing AUTH the next command is 'AUTH LOGIN' for authenticated smtp, and as soon as my server denies offering this the session gets aborted. This does mean no failed authentication attempt is logged which would trigger fail2ban.

This does look like a bit of a distributed attack, but without the network remembering that the attack is not going to work in this way and therefore trying it again and again.

Update: IPs active in this scanning attack sofar: 185.234.217.222 193.169.254.68 185.234.219.56 37.49.225.232 185.222.209.202 141.98.80.15 114.207.112.188 185.222.209.209 23.227.207.215 185.211.245.170 141.98.80.17 89.248.171.176 185.211.245.198 164.132.45.117 37.49.225.224 119.176.218.216 103.114.104.175 37.49.225.47 103.207.37.40 37.49.227.49 185.234.219.57

Update 2019-03-24: I noticed the incorrect EHLO above and looked at options for HELO/EHLO checking in sendmail. Searching did not show a lot of options, trying with the $&s delayed s macro did not fire on the given HELO/EHLO. So I kept searching and found the latest sendmail administration guide ('Bat book') with FEATURE(block_bad_helo). I activated this feature to see if it stops some of this traffic.

Tags: ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004282 seconds.