Mailing List Archive

why so many synchronisation failures?
I am seeing a large number of synchronisation errors in incoming mail
eg
rejected connection from H=[198.53.60.171] input="QUIT\r\n"

The IP address varies but the QUIT\r\n is the commonest version, and
overwhelmingly from places with no reverse DNS.
I am sure this is unwanted stuff, but what are the malefactors trying
to achieve?


=John ffitch

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: why so many synchronisation failures? [ In reply to ]
On 30/04/18 12:51, John via Exim-users wrote:
> I am seeing a large number of synchronisation errors in incoming mail
> eg
> rejected connection from H=[198.53.60.171] input="QUIT\r\n"

At a guess you are delaying before sending a banner on connect.
They're giving up, and being kind enough to tell you so.

> The IP address varies but the QUIT\r\n is the commonest version, and
> overwhelmingly from places with no reverse DNS.

So, botnet.

> I am sure this is unwanted stuff, but what are the malefactors trying
> to achieve?

A working SMTP connection, though know knows what this particular one
goes on to do.

If you care you could add +smtp_no_mail +millisec to your log_selector
to see how long they wait before giving up (assuming recent Exim
version).
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: why so many synchronisation failures? [ In reply to ]
Am 30.04.2018 um 13:51 schrieb John via Exim-users:
> I am seeing a large number of synchronisation errors in incoming mail
> eg
> rejected connection from H=[198.53.60.171] input="QUIT\r\n"
>
> The IP address varies but the QUIT\r\n is the commonest version, and
> overwhelmingly from places with no reverse DNS.
> I am sure this is unwanted stuff, but what are the malefactors trying
> to achieve?
>
>
> =John ffitch
>
That comes from very poorly written Fire-And-Forget-SPAMscripts.

They are sending the commands by a script and don't react to responses,
like a real mailserver would do.
So they miss the point, when your exim tells them, that they did
something wrong. They keep sending
the cmmand at position n+1 as nothing wrong had happend.

Make a script, filter those lines, make a firewall entry and block them
for 48h hours.

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: why so many synchronisation failures? [ In reply to ]
Am 30.04.18 um 14:21 schrieb Cyborg via Exim-users:

> Make a script, filter those lines, make a firewall entry and block them
> for 48h hours.

That's what fail2ban was invented for. This line should even work right
out of the box, IIRC.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/