Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SMTP Spam attack detected
  •  
peshay

Messages: 2
Karma: 0
Send a private message to this user
hello,
does anyone knows what this mean in my logfile?

SMTP Spam attack detected from "my isp", client closed connection before SMTP greeting

I read about SMTP Proxy attack detected, but what exactly happened when it says SMTP Spam attack detected? I couldn´t find anything about it. Especially weird because it comes from my ISP.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
This is the output from SpamRepellent module: http://www.kerio.com/manual/kms/en/ch17s05.html

It means that sending server closed connection before SMTP greeting from KMS. This is a violation of RFC.
  •  
peshay

Messages: 2
Karma: 0
Send a private message to this user
could it be that this error occur because our ISP has a Relay Cluster with 6 different IP-Adresses? And Kerio don´t trust him because the IP changes always?

They said that I perhaps should take a look in the mailserver.cfg and change this:
<table name="Http">
<variable name="SessionExpireTimeout">3600</variable>
<variable name="MaxPostSize">20</variable>
<variable name="CheckSessionClientIp">1</variable>

CheckSessionClientIp to 0 instead of 1?
but I couldn´t find the mailserver.cfg yet

[edit]
okay, of course i can not find the mailserver.cfg if i am lookin on the wrong server ^-^
do I have to restart kerio after changing the mailserver.cfg?

[Updated on: Wed, 05 April 2006 12:01]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
No, this setting has absolutely no relation to SMTP.
The problem is that your ISP terminates TCP connection in SMTP session unexpectedly (before KMS sends any data).

Please do not change these settings!

[Updated on: Wed, 05 April 2006 12:04]

  •  
Achromatic

Messages: 11
Karma: 0
Send a private message to this user
Are you sure it's their mail servers? I have a dedicated host with a hosting company, and they have a monitoring server which periodically connects to my SMTP port, disconnecting immediately and generating these reports.
  •  
sanek

Messages: 2
Karma: 0
Send a private message to this user
Hello from Russia!
I have a question.
My mail server attacks spammers from a non-existent domains. There are many strings in the server security log:

SMTP Spam attack detected from zg-0724b-91.stretchoid.com, client sent data before SMTP greeting
SMTP Spam attack detected from agent.tnt-notification.us, client sent data before SMTP greeting

Can I get the IP addresses of these hosts? In the Whois database, these domains do not appear. The message "Domain Not Found" is displayed.
  •  
Brian (GFI/Kerio)

Messages: 760
Karma: 75
Send a private message to this user
In the advanced options, disable the option to log hostnames of incoming connections.

Brian Carmichael
Instructional Content Architect
  •  
sanek

Messages: 2
Karma: 0
Send a private message to this user
Thank you very mutch, Brian!
Previous Topic: ldap query bug
Next Topic: Upgrade Kerio VA Debian from 7 to 8 - restore auto login
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 16 23:59:11 CEST 2017

Total time taken to generate the page: 0.00460 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.