SMTP connection from (TCP/IP connection count = 100)

jlucho · Feb 1, 2023

hi guys

i am getting this kind of activity
it is seen that it is a high consumption of emails, possibly email attack (view image)

2023-02-01 11:04:25 SMTP connection from [1.6.7.120]:6480 (TCP/IP connection count = 107)
2023-02-01 11:04:25 SMTP connection from [1.66.17.82]:14243 (TCP/IP connection count = 108)

Do you know how to stop this type of attack?
what could be happening on the server

thank

cPRex · Feb 1, 2023

Hey there! As long as a service is open to the internet, it is always at risk of being abused.

If those entries are from /var/log/maillog, do you see that they actually sent messages in corresponding timestamps in /var/log/exim_mainlog? If not, it seems like most of the connections are from 190.x.x.x and 179.x.x.x so you could consider blocking those ranges in the server's firewall.

Thread starter	Similar threads	Forum	Replies	Date
M	"SMTP connection lost after final dot" & "SSL_write: syscall: Broken pipe"	Email	7	Mar 20, 2023
3	Spamhaus said 66.85.74.242 is making SMTP connections which indicate that it is misconfigured, and causes it to appear to be a spoofing/compromised	Email	4	Jun 24, 2022
M	inbound mail : " no MAIL in SMTP connection from..." after "SMTP connection from..."	Email	4	Dec 15, 2021
	exim_mainlog says SMTP connection from (TCP/IP connection count = 1)	Email	1	Nov 28, 2015
X	SMTP connection from [IP]:34716 I=[IP]:25 (TCP/IP connection count = 2)	Email	6	Nov 21, 2005

Search

Search

SMTP connection from (TCP/IP connection count = 100)

jlucho

Well-Known Member

Attachments

cPRex

Jurassic Moderator