SMTP protocol synchronization error, many rejected connections from different IPs

M

miszko

New member
Joined
Jun 30, 2011
Messages
1
Hi,

I have a question. Few days ago I checked rejectlog (because has a strange big size - about 100MB) of exim and I saw this.
Many differents IP are trying to connect via SMTP and every IP sending this in input.

I listed top o 50 rejected IPs and blocked in firewall.

I have question. Anyone has a idea what is this?
It's looks like this IPs want to connect via encrypted channel?
Any other ideas? It's a brute force attack?

Thanks!
Michael

Code: 
2013-08-25 03:32:18 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=host86-136-168-91.range86-136.btcentralplus.com [86.136.168.91] input="mÍ^ä/6óŽ—(>ç=›18>ŘÖ‰Uč˛Ůň%©\034\034\031W'x»Ťl\b[Jż‰ýżƒ7 ŃfÁ/Y׬u÷*\020é\177´{Ó\rx‰BżcU\nÚcÖP* ¦Ŕm75Řžv\fŕ©Qxk¦\007A¦ÂÂ>‰˘¬\033‡O^ćƒ\004@HĆ\003ă8ňŘL\024ˇ\017AÔá˛ĺ´\032đ™şĆ˘¬bPbĺ	?Đz©\003‚,A\022T	o"
2013-08-25 03:32:37 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=host-92-29-208-175.as13285.net [92.29.208.175] input="\022÷HqŮ8wţąŞ¦’\035.\004;e4fVÉ˝·un7\002￾ą"\n˛\026\005–É<É"é¬řK\007„X@&ˆ[*Br\037-b]ۆ}Řě^ś¶ó|ÁNü(޲iŹűÚŽ\005—sˆŤ;d”rUR![vO‚Ą””††°zOrDEÖˇę?XX\006Ř\032·*g\b™ą\025ĚČâ\b°"€É”óŁtm\vľL¨zŘ*Đ5öďŰu\024ĚŐ"
2013-08-25 03:32:38 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=111-241-253-205.dynamic.hinet.net [111.241.253.205] input="t\027˙n_ľwäf©¸ä\030ŕ/p3\037çmsŞápůŁ5ćŁÚ¬q§s\022r*˛[ĺ\031L×ç„7\030č®{úpâ\023ňć!E¬q•Ď¦t￾h\fu\025\001ruą±Őę(Řźs\n\v“é€\bZt´*QęŰŇťę\177ˇ™uűťuëw›<vÎż\035yŢXƒyQ‹Ďy\002˘Lď3áµz†úQxw”_đ\017†ÖôéTĽ}młů}˛¤"
2013-08-25 03:32:42 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=s0106c8be19630369.vc.shawcable.net [96.49.44.19] input="™;ÉѧC‹	\v*`*\034X_MoÎŹt\003ĺjś‹3Ŕ˝\001Ę\020â™;\006\004Mç„*(ĹOQ¤ßluŃf&˜\177Qůş&hćÝa,ë˙çŰr#tm"G&…™Ŕ\032\022F[Aó#\007¦A\016+¦‰™O#éčoź\003\006”\006Nf.Y—'Ü$+\027ý\vRŞ—\005\030@Âë\022"ĺę\021zˆ„Äţ«2\033íÍH7AńČ)č\026ƒ1ô;ĺµ"
2013-08-25 03:32:47 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[86.98.20.107] input="Š\020™‚4bĽ˘ş¤ź\030dµÄąľQ:3jXŞČĄD\026Y?wßţhpMyŢč\f\032¬*Aš-|i-ˆ*jşZK„M)‘[Đb\031¤lIJěáŔ=Ń|XgU\b±‚n˜gqR&‡ĄYľOoŰT§\b\034îyÓśu‰\021Ü	żó¤›#˜`/‘¨BµŽú*PÁ\022cŘĘFĄiř(nűř•Z￾"
2013-08-25 03:32:48 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=141-105-194-82.ipgate.co.uk [141.105.194.82] input="cţť1 –h\002Ąj‰ďş\036Z«˜†XşH\023˛ËTŚ‰.§t'ę—=\007úp"
2013-08-25 03:33:04 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[89.148.9.45] input="wűP2ŕ\ăö»Ű÷ŐŇäią<Ć•™Ôđˇ°EI*šÂč”wÖ\nČLŁ›7\030ÚR˝ŘămŠ¨őč\016]h￾.®Ôˇ*#•(\032}z9gŰ\037éĚFL„w©Ľ\004EZ¤µ\bÔ÷ů´8:‰:¦5ËÂ\016釥\025ŢjĽ)DŘ\0164şBE>ł•ČV”1éwa\033\vr"
2013-08-25 03:33:08 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=199-192-80-54.static.wiline.com [199.192.80.54] input="lD´\vŇ?Ş\035ęöď#íV2*\006$"
 
I'm not sure if it's some sort of attack on exim, but I'm not sure it would accomplish anything because of this:
Code: 
SMTP protocol synchronization error (input sent without waiting for greeting)
meaning, they're not speaking SMTP.
Exim won't likely do anything with any input if they don't wait for the headers... which wouldn't support the attack theory (unless there is an exim bug that works despite this check, which is less likely, but not impossible)

There is a chance it's something totally unrelated, but not too sure. The input looks somewhat binary... maybe it's openssl, on a non-openssl port (exim uses TLS on 25, which goes ssl after the non-ssl connection is already established).. again, not too sure.

You could block them from 25 in your firewall.. If any of your client's complain, ask what they're doing as it's quite abnormal.. especially if it's coming from multiple different IPs.

John
 
Not that I'm any kind of expert :) but I'm old, and I know a bit of SMTP history...

Years ago, in the days before spammers, SMTP servers were a lot more accepting of protocol errors, and spammers took advantage of this; they could send messages more quickly if they didn't wait for a reply to their initial contact.

Because of the data, this looks like an attempt to inject code, but it's obviously failing. Treat it like any other DOS attack, and block the IP#s if they don't keep changing.

My opinion :D

Jeff
 
mail delivery failed

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from localhost ([127.0.0.1] helo=[178.162.203.44])
by srv18235.iranfinex.com with esmtpa (Exim 4.76)
(envelope-from <[email protected]>)
id 1VaSFN-0008D4-Jk
for [email protected]; Sun, 27 Oct 2013 18:57:21 +0330
Received: from 199.195.128.79
(SquirrelMail authenticated user [email protected])
by 178.162.203.44 with HTTP;
Sun, 27 Oct 2013 18:57:21 +0330
Message-ID: <[email protected]>
Date: Sun, 27 Oct 2013 18:57:21 +0330
Subject: test
From: [email protected]
To: [email protected]
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal

testttttttttttttttttttttttttttttttttttttttttttttt
 
After sending the email, the Web mail run into the above error, why?

After sending the email, the Web mail run into the above error, why?
 
The server tried to send the email for the maximum amount of time sent in exim.conf, and culdn't. To find a specific reason you'll need to look in the exim mainlog.

This posted emaill probably has nothing to do with the thread.

Jeff
 
I get this error in exim logs:
2014-11-13 05:43:49 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[1.209.242.2] input="ppqqqqqqqqrrrrrrrrsssssssstttttttuuuuuuuuvvvvvvwwwwwwwwxxxxxxxxyyyyyyyyzzzzzzzz00000000111111112222222333333334444444455555555666666667777777788888888"
2014-11-13 05:43:50 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=mail.falconship.com [115.79.38.86] input="7788888899999AAAAABBBBBBCCCCCDDDDDDEEEEEEFFFFFFGGGGGHHHHHHIIIIIIJJJJJJKKKKKLLLLLLMMMMMMNNNNNNOOOOOPPPPPPQQQQQQRRRRRRSSSSSTTTTTTUUUUUUVVVVVVWWWWWXXXXXX"
2014-11-13 05:43:50 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[123.143.217.42] input="9xlMiJvVKwW8xz2rthWZOD2rRGsgH6hW7wXMxlNCmbD2cR3sSHthI7iX8xYNymOD2cR3sSHthI7iX8xYNymODocE3dS4tTIuiJ8jY9yZOzoPEpdF4eT5uUJvjK9kZAzaP0pQFqeG5fU6vVKwkLAlaB"
2014-11-13 05:43:52 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[210.217.129.5] input="IIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNNNNNNNNNNNNNNN"
2014-11-13 05:43:52 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[49.249.174.91] input="lNKdwSl4auCVo7Pi1KPh1JcvEWqvDWp8Qj2LyHZtBUZsBTm5Og05NgzIauCVatCUo6Ph16Oh0JbvDWbuDVp7Qi27Pi1KcwEXq9Rkq8Rj3Lex2LdxFYrASl4NSk4MfyHZtBUm6Oh0Jbv0IbuDVp7Qio"
2014-11-13 05:43:53 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[27.0.58.223] input="55566666677777788888999999AAAABBBBBCCCCCCDDDDDEEEEEEFFFFFGGGGGGHHHHHIIIIIIJJJJJJKKKKLLLLLMMMMMMNNNNNNOOOOOPPPPPPQQQQQRRRRRRSSSSSTTTTTTUUUUUUVVVVVWWWWW"
2014-11-13 05:43:54 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[182.253.213.62] input="llmmmmmmmmmooooooooooppppppppppqqqqqqqqqqrrrrrrrrrrssssssssssttttttttttuuuuuuuuuuuvvvvvvvvvvwwwwwwwwwwxxxxxxxxxxyyyyyyyyyyzzzzzzzzzz000000000011111111"
2014-11-13 05:43:55 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=dynamic-acs-24-239-47-36.zoominternet.net [24.239.47.36] input="0RtHf4SrGf4SrFd2QpDb0OmBZyNmBZyMk9XwKi7VuIg5UuIg5TsGe3RqEc1PoCb0OmBZyMk9XwKi7VuIg5TsGe3RqEc1PoCazNmBZyMk9XwKi7VuIg5TsGe3RqEc1PoCazNlAYxLj8WvJh3RqEc3Sr"
2014-11-13 05:43:55 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[182.253.150.177] input="NNNNNNNNOOOOOOOOOOOOOOOOOOOOOPPPPPPPPPPPPPPPPPPPPPQQQQQQQQQQQQQQQQQQQQQQRRRRRRRRRRRRRRRRRRRRRRSSSSSSSSSSSSSSSSSSSSSTTTTTTTTTTTTTTTTTTTTTTUUUUUUUUUUUUU"
2014-11-13 05:43:56 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[112.220.245.6] input="HHHHHIIIIIIIIIIIIJJJJJJJJJJJJKKKKKKKKKKKKLLLLLLLLLLMMMMMMMMMMMMMNNNNNNNNNNNNOOOOOOOOOOOPPPPPPPPPPPPPQQQQQQQQQQQQRRRRRRRRRRRSSSSSSSSSSSSSTTTTTTTTTTTTUU"
2014-11-13 05:43:57 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[113.162.128.63] input="QRRRRRSSSSSSSSTTTTTTTUUUUUUUUVVVVVVVWWWWWWWWXXXXXXXXYYYYYYZZZZZaaaaaaaabbbbbbbbcccccddddddddeeeeeeeefffffffgggggggghhhhhhhiiiiiiijjjjjjjjkk"
2014-11-13 05:43:59 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[85.105.158.101] input="ck0F0FUXm24JYbdgil1GVk0FUjl1GVk0FUjm2HWl1GVkm2HWl1GVk0FUXm2HWl1GVk0FUWl1GVk0FIXm2HWl1GIk02Ujl1TiyDSUjzETiyDSVk0FgwBQfvAPehxCRgwBQfhxCRgwBQfvAPShxCRgwB"
2014-11-13 05:43:59 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[106.248.57.51] input="z36AEHLOSWZdgkpsw037AEILPSWadhlptw037BEILPTWQTXaeilqtx148BFIMQTXaeilqtx148BFIMQTXaeilqtx148BFJMQTXbeilqux158CFJNQUXbfimqux158CGJNQUXbfimquy158CGJNQUYb"
2014-11-13 05:44:00 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=r167-56-63-17.dialup.adsl.anteldata.net.uy [167.56.63.17] input="CCDDDDDEEEEEEFFFFFGGGGGHHHHHIIIIIIJJJJJKKKKKLLLLLMMMMMMNNNNNOOOOOPPPPPQQQQQQRRRRRSSSSSTTTTTUUUUUUVVVVVWWWWWXXXXXXYYYYYZZZZZaaaaabbbbbbcccccdddddeeeeef"
2014-11-13 05:44:01 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=130.43.53.84.dsl.dyn.forthnet.gr [130.43.53.84] input="RSTTUUUUUUUVVVVVVVWWWWWWWWXXXXXXXYYYYYYYZZZZZZZZaaaaaaabbbbbbbcccccccdddddddeeeeeeeffffffffggggggghhhhhhhiiiiiiijjjjjjjkkkkkkklllllllmmmmmmmoooooopppp"
2014-11-13 05:44:04 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[116.212.188.250] input="ptw148CGKOSWZdhlptx148CGJNRVYcgkosw037BFIMQUXbfjmrvz26AEHLPTWaeilquy159DGKOSVZdhkptx048CGJNRVYcgkosw047BFJMQUYbfjorvz36AEILPTXaeimquy259DHKOSWZdhlptx1"
2014-11-13 05:44:08 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[39.113.99.117] input="BBCCCCCCCCCDDDDDDDDDDDDEEEEEEEEEEEFFFFFFFFFFFGGGGGGGGGGGGHHHHHHHHHHHIIIIIIIIIIIJJJJJJJJJJJJKKKKKKKKKKLLLLLLLLLLLLMMMMMMMMMMMNNNNNNNNNNNOOOOOOOOOOOPPPP"
2014-11-13 05:44:08 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=194.115.103.218.static.netvigator.com [218.103.115.194] input="DEEEEEEFFFFFFGGGGGGGHHHHHHIIIIIIIJJJJJJKKKKKKKLLLLLLLMMMMMMNNNNNNNOOOOOOPPPPPPPQQQQQQRRRRRRRSSSSSSSTTTTTTUUUUUUUVVVVVVWWWWWWWXXXXXXYYYYYYYZZZZZZZaaaaa"
2014-11-13 05:44:11 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=host158.subnet147.comnet.net.id [202.150.147.158] input="DDDDDEEEEEEEEEEEEEFFFFFFFFFFFFFGGGGGGGGGGGGGGHHHHHHHHHHHHHIIIIIIIIIIIIIJJJJJJJJJJJJJKKKKKKKKKKKKKLLLLLLLLLLLLLMMMMMMMMMMMMMNNNNNNNNNNNNNOOOOOOOOOOOOOO"
2014-11-13 05:44:14 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=fl9-125-199-235-30.hyg.mesh.ad.jp [125.199.235.30] input="FFFFFGGGGGGGGGGGGGHHHHHHHHHHHHHIIIIIIIIIIIIIJJJJJJJJJJJJJKKKKKKKKKKKKKLLLLLLLLLLLLLMMMMMMMMMMMMNNNNNNNNNNNNNNOOOOOOOOOOOOPPPPPsssssssssstttttttttttttu"
2014-11-13 05:44:15 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=62.1.136.33.dsl.dyn.forthnet.gr [62.1.136.33] input="PPPPQQQQQQRRRRRRSSSSSSTTTTTUUUUUUVVVVVVWWWWWXXXXXXYYYYYYZZZZZZaaaaabbbbbbccccccdddddeeeeeeffffffgggggghhhhhiiiiiijjjjjjkkkkkklllllmmmmmmooooooppppppqq"
2014-11-13 05:44:19 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=122-117-53-95.hinet-ip.hinet.net [122.117.53.95] input="w159DHLPTXbfjoswz48BFJNRVZdhlquy259DHLPTXbfjosw048CFJNRVZdhlquy25AEHLPTXbfjosw048CFKORVZdhlquy26AEILPTXbfjosw048CGKORVZdhlquy26AEILQUXbfjosw048CGKOSVZ"
Click to expand...
 
You can either ignore them, or block the "attacking" IPs in your firewall.
They're just telling you people are connecting to exim on port 25, and entering random characters.
Since they're not obeying the smtp protocol sync rules.. (they must wait for the headers from exim before anything), exim is just casually dropping the connections.

John
 
You must log in or register to reply here.
Back
Top