HELP: unexpected disconnection while reading SMTP command from

[cristian]

Hello
For over 2 days i'm getting some type of attack every second 2 - 5 connections from diffrent IP's. No password and username only connection.

Unexpected disconnection while reading SMTP command from

Does anyone else have this problem? I have 2 servers attacked

I made a script and extracted the ips and blocked them but there are too many in a few minutes over 1000 ips are collected.
I modified from 150 to smtp_accept_max=2500 the clients can send emails but with errors and slow conections.

Does anyone know what I can do ? how can i stop this ?




Log: this is what i get for over 2 days non stop

2021-05-05 12:59:49 unexpected disconnection while reading SMTP command from ([39.45.138.213]) [39.45.138.213] (error: Connection reset by peer) D=16s
2021-05-05 12:59:49 unexpected disconnection while reading SMTP command from (103-120-201-254.Habiganj.Sylhet.carnival.com.bd) [103.120.201.254] (error: Connection reset by peer) D=10s
2021-05-05 12:59:50 unexpected disconnection while reading SMTP command from 131.206.196.77.rev.sfr.net [77.196.206.131] (error: Connection reset by peer) D=36s
2021-05-05 12:59:50 unexpected disconnection while reading SMTP command from ([223.182.218.41]) [223.182.218.41] (error: Connection reset by peer) D=24s
2021-05-05 12:59:50 unexpected disconnection while reading SMTP command from (223.59.83.202.asianet.co.in) [202.83.59.223] (error: Connection reset by peer) D=16s
2021-05-05 12:59:50 unexpected disconnection while reading SMTP command from (rain-197-185-118-5.rain.network) [197.185.118.5] (error: Connection reset by peer) D=0s
2021-05-05 12:59:50 unexpected disconnection while reading SMTP command from ([202.128.19.130]) [202.128.19.130] (error: Connection reset by peer) D=32s
2021-05-05 12:59:50 unexpected disconnection while reading SMTP command from ([197.210.29.232]) [197.210.29.232] (error: Connection reset by peer) D=33s
2021-05-05 12:59:51 unexpected disconnection while reading SMTP command from 77-171-95-47.fixed.kpn.net [77.171.95.47] (error: Connection reset by peer) D=5s
2021-05-05 12:59:51 unexpected disconnection while reading SMTP command from 93-77-193-107.zap.volia.net [93.77.193.107] (error: Connection reset by peer) D=28s
2021-05-05 12:59:51 unexpected disconnection while reading SMTP command from ([171.248.26.51]) [171.248.26.51] (error: Connection reset by peer) D=19s
2021-05-05 12:59:51 unexpected disconnection while reading SMTP command from 146-241-160-210.dyn.eolo.it [146.241.160.210] (error: Connection reset by peer) D=0s
2021-05-05 12:59:52 unexpected disconnection while reading SMTP command from 177.14.103.87.rev.vodafone.pt [87.103.14.177] (error: Connection reset by peer) D=22s
2021-05-05 12:59:52 unexpected disconnection while reading SMTP command from 88-104-218-181.dynamic.dsl.as9105.com [88.104.218.181] (error: Connection reset by peer) D=9s
2021-05-05 12:59:52 unexpected disconnection while reading SMTP command from ([176.105.40.172]) [176.105.40.172] (error: Connection reset by peer) D=14s
2021-05-05 12:59:52 unexpected disconnection while reading SMTP command from ppp-94-66-221-215.home.otenet.gr [94.66.221.215] (error: Connection reset by peer) D=9s
2021-05-05 12:59:52 unexpected disconnection while reading SMTP command from static-host119-73-115-112.link.net.pk [119.73.115.112] (error: Connection reset by peer) D=36s
2021-05-05 12:59:52 unexpected disconnection while reading SMTP command from ([196.121.135.93]) [196.121.135.93] (error: Connection reset by peer) D=24s
2021-05-05 12:59:53 unexpected disconnection while reading SMTP command from (5e0d9b54.bb.sky.com) [94.13.155.84] (error: Connection reset by peer) D=12s
2021-05-05 12:59:54 unexpected disconnection while reading SMTP command from cpe-92-37-9-64.dynamic.amis.net [92.37.9.64] (error: Connection reset by peer) D=19s
2021-05-05 12:59:54 unexpected disconnection while reading SMTP command from 188-230-42-33.lvv.volia.net (ip.188.230.42.33.volia.net) [188.230.42.33] (error: Connection reset by peer) D=5s
2021-05-05 12:59:54 unexpected disconnection while reading SMTP command from (ctel-92-53-44-42.cabletel.com.mk) [92.53.44.42] (error: Connection reset by peer) D=5s
2021-05-05 12:59:54 unexpected disconnection while reading SMTP command from (42-107-137-48.live.vodafone.in) [42.107.137.48] (error: Connection reset by peer) D=2s
2021-05-05 12:59:54 unexpected disconnection while reading SMTP command from (178.91.174.102.megaline.telecom.kz) [178.91.174.102] (error: Connection reset by peer) D=2s
2021-05-05 12:59:54 unexpected disconnection while reading SMTP command from 102-65-85-157.ftth.web.africa [102.65.85.157] (error: Connection reset by peer) D=20s
2021-05-05 12:59:55 unexpected disconnection while reading SMTP command from (IN-84-15-183-101.bitemobile.lt) [213.252.243.13] (error: Connection reset by peer) D=36s
2021-05-05 12:59:55 unexpected disconnection while reading SMTP command from bl20-194-112.dsl.telepac.pt [2.81.194.112] (error: Connection reset by peer) D=0s
2021-05-05 12:59:56 unexpected disconnection while reading SMTP command from (nsg-static-234.176.75.182-airtel.com) [182.75.176.234] (error: Connection reset by peer) D=8s
2021-05-05 12:59:56 unexpected disconnection while reading SMTP command from (rainbowisp.in) [103.25.46.30] (error: Connection reset by peer) D=4s
2021-05-05 12:59:56 unexpected disconnection while reading SMTP command from pppoe.178-66-110-167.dynamic.avangarddsl.ru [178.66.110.167] (error: Connection reset by peer) D=6s
2021-05-05 12:59:56 unexpected disconnection while reading SMTP command from ([186.179.163.37]) [186.179.163.37] (error: Connection reset by peer) D=26s
2021-05-05 12:59:56 unexpected disconnection while reading SMTP command from ([95.187.78.201]) [95.187.78.201] (error: Connection reset by peer) D=8s
2021-05-05 12:59:57 unexpected disconnection while reading SMTP command from ([105.163.198.189]) [105.163.198.189] (error: Connection reset by peer) D=5s
2021-05-05 12:59:57 unexpected disconnection while reading SMTP command from 37.30.22.29.nat.umts.dynamic.t-mobile.pl [37.30.22.29] (error: Connection reset by peer) D=22s
2021-05-05 12:59:57 unexpected disconnection while reading SMTP command from 114-39-240-147.dynamic-ip.hinet.net [114.39.240.147] (error: Connection reset by peer) D=28s
2021-05-05 12:59:57 unexpected disconnection while reading SMTP command from (177-89-199-109.cable.cabotelecom.com.br) [177.89.199.109] (error: Connection reset by peer) D=1s
2021-05-05 12:59:57 unexpected disconnection while reading SMTP command from ([119.153.146.191]) [119.153.146.191] (error: Connection reset by peer) D=8s
2021-05-05 12:59:58 unexpected disconnection while reading SMTP command from (18-213-119-111.mysipl.com) [111.119.213.18] (error: Connection reset by peer) D=27s
2021-05-05 12:59:58 unexpected disconnection while reading SMTP command from host110.190-3-30.dynamic.telmex.net.ar [190.3.30.110] (error: Connection reset by peer) D=19s
2021-05-05 12:59:58 unexpected disconnection while reading SMTP command from apn-31-0-24-139.dynamic.gprs.plus.pl [31.0.24.139] (error: Connection reset by peer) D=5s
2021-05-05 12:59:58 unexpected disconnection while reading SMTP command from ([87.201.205.30]) [87.201.205.14] D=14s
2021-05-05 12:59:59 unexpected disconnection while reading SMTP command from (103-12-196-10.kkn.com.pk) [103.12.196.10] (error: Connection reset by peer) D=33s
2021-05-05 12:59:59 unexpected disconnection while reading SMTP command from host-28-net-99-160-119.mobilinkinfinity.net.pk [119.160.99.28] (error: Connection reset by peer) D=15s
2021-05-05 12:59:59 unexpected disconnection while reading SMTP command from (179-99-209-73.dsl.telesp.net.br) [179.99.209.73] (error: Connection reset by peer) D=14s

 

[Ohm J]

Exim have update 4.5.2,
Important update about "abused attacking"

Exim vulnerability release

Hey everybody, I saw that Exim has a new security release which looks important: Exim 4.94.2 - security update released Dear Exim-Users Abstract -------- Several exploitable vulnerabilities in Exim were reported to us and are fixed. We have prepared a security release, tagged as...

forum.directadmin.com

 

[cristian]

Thank you. I updated but i have the same problem. The same problem ..

Latest version of Exim: 4.94.2
Installed version of Exim: 4.94.2

2021-05-05 14:14:38 unexpected disconnection while reading SMTP command from (118-107-139-172.snet.net.pk) [118.107.139.173] (error: Connection reset by peer) D=1m1s
2021-05-05 14:14:38 unexpected disconnection while reading SMTP command from 202.208.38.84.otvk.pl [84.38.208.202] (error: Connection reset by peer) D=9s
2021-05-05 14:14:38 unexpected disconnection while reading SMTP command from (179-108-189-240.estrelarweb.com.br) [179.108.189.240] (error: Connection reset by peer) D=5s
2021-05-05 14:14:38 unexpected disconnection while reading SMTP command from ([103.157.220.143]) [103.157.220.143] (error: Connection reset by peer) D=24s
2021-05-05 14:14:39 unexpected disconnection while reading SMTP command from net-93-67-81-131.cust.vodafonedsl.it [93.67.81.131] (error: Connection reset by peer) D=14s
2021-05-05 14:14:39 unexpected disconnection while reading SMTP command from ([27.56.200.245]) [27.56.200.245] (error: Connection reset by peer) D=40s
2021-05-05 14:14:39 unexpected disconnection while reading SMTP command from 188.147.103.13.nat.umts.dynamic.t-mobile.pl [188.147.103.13] (error: Connection reset by peer) D=1s
2021-05-05 14:14:39 unexpected disconnection while reading SMTP command from ([191.84.66.213]) [191.84.66.213] (error: Connection reset by peer) D=35s
2021-05-05 14:14:39 unexpected disconnection while reading SMTP command from (static.vnpt.vn) [14.181.88.204] (error: Connection reset by peer) D=14s
2021-05-05 14:14:40 unexpected disconnection while reading SMTP command from (fm-dyn-139-194-96-38.fast.net.id) [139.194.96.38] (error: Connection reset by peer) D=33s
2021-05-05 14:14:40 unexpected disconnection while reading SMTP command from ([103.149.205.4]) [103.149.205.4] (error: Connection reset by peer) D=29s
2021-05-05 14:14:40 unexpected disconnection while reading SMTP command from bba417295.alshamil.net.ae [83.110.197.227] (error: Connection reset by peer) D=8s
2021-05-05 14:14:40 unexpected disconnection while reading SMTP command from ([212.237.121.124]) [212.237.121.124] (error: Connection reset by peer) D=5s
2021-05-05 14:14:40 unexpected disconnection while reading SMTP command from (static.vnpt.vn) [113.177.220.11] (error: Connection reset by peer) D=8s
2021-05-05 14:14:40 unexpected disconnection while reading SMTP command from mob-31-158-65-202.net.vodafone.it [31.158.65.202] (error: Connection reset by peer) D=19s
2021-05-05 14:14:41 unexpected disconnection while reading SMTP command from ([203.177.160.14]) [203.177.160.14] (error: Connection reset by peer) D=16s
2021-05-05 14:14:41 unexpected disconnection while reading SMTP command from (localhost) [27.71.122.81] (error: Connection reset by peer) D=22s
2021-05-05 14:14:41 unexpected disconnection while reading SMTP command from ([94.187.0.61]) [94.187.0.61] (error: Connection reset by peer) D=5s
2021-05-05 14:14:41 unexpected disconnection while reading SMTP command from ([106.201.62.163]) [106.201.62.163] (error: Connection reset by peer) D=15s
2021-05-05 14:14:41 unexpected disconnection while reading SMTP command from 188.146.37.69.nat.umts.dynamic.t-mobile.pl [188.146.37.69] (error: Connection reset by peer) D=15s
2021-05-05 14:14:42 unexpected disconnection while reading SMTP command from (41-213-150-174.zeop.re) [41.213.150.174] (error: Connection reset by peer) D=22s
2021-05-05 14:14:42 unexpected disconnection while reading SMTP command from ([106.215.246.1]) [106.215.180.217] (error: Connection reset by peer) D=5s
2021-05-05 14:14:42 unexpected disconnection while reading SMTP command from 89-64-77-50.dynamic.chello.pl [89.64.77.50] (error: Connection reset by peer) D=0s
2021-05-05 14:14:43 unexpected disconnection while reading SMTP command from ([39.45.24.215]) [39.45.24.215] (error: Connection reset by peer) D=15s
2021-05-05 14:14:43 unexpected disconnection while reading SMTP command from 11.177.19.95.dynamic.jazztel.es [95.19.177.11] (error: Connection reset by peer) D=27s
2021-05-05 14:14:43 unexpected disconnection while reading SMTP command from bl21-169-22.dsl.telepac.pt [2.82.169.22] (error: Connection reset by peer) D=24s
2021-05-05 14:14:43 unexpected disconnection while reading SMTP command from (58.116.255.143.paranhananet.com.br) [143.255.116.58] (error: Connection reset by peer) D=23s
2021-05-05 14:14:43 unexpected disconnection while reading SMTP command from host-92-2-142-73.as13285.net [92.2.142.73] (error: Connection reset by peer) D=19s
2021-05-05 14:14:44 unexpected disconnection while reading SMTP command from (static.customer-201-144-104-74.uninet-ide.com.mx) [201.144.104.74] (error: Connection reset by peer) D=29s
2021-05-05 14:14:44 unexpected disconnection while reading SMTP command from (static.vnpt.vn) [14.188.128.179] (error: Connection reset by peer) D=22s
2021-05-05 14:14:44 unexpected disconnection while reading SMTP command from ([45.171.207.141]) [45.171.207.141] (error: Connection reset by peer) D=6s
2021-05-05 14:14:44 unexpected disconnection while reading SMTP command from ([41.215.130.189]) [41.215.130.189] (error: Connection reset by peer) D=22s
2021-05-05 14:14:45 unexpected disconnection while reading SMTP command from ([196.251.36.23]) [196.251.36.23] (error: Connection reset by peer) D=30s

 

[cristian]

Does anyone else have this problem?

 

[mxroute]

Does anyone else have this problem?

I think considering this a problem is where the logic failure is occurring. Let me show you how many times I have that in the logs of one of my servers:

[root@sunfire exim]# grep "unexpected disconnection while reading SMTP command" mainlog | wc -l
483374

You read that right, that's 483,374 instances of that error in my logs since last log rotation (2nd day of this month). This is normal and not a sign of a problem with the mail server. By running a mail server you are constantly under attack by botnets who want to send spam to your clients, try to open relay through your server (and, ideally, fail), or brute force your customer's passwords. This error is merely a symptom of normal attacks against a mail server, many of them from systems that aren't doing a good job of what they're trying to do.

If a problem led you to find this error and assume it to be an indication of the problem, you should move backwards and start with the problem that led you to it, as it isn't likely related.

 

[mxroute]

If you do really want to stop that though, and you're alright with risking the possibility that your clients may have triggered the error a few times as well, here's how you block them all in bulk:

for i in $(grep "unexpected disconnection while reading SMTP command" mainlog | awk '{print $11}' | sed 's/\[//' | sed 's/\]//' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq); do ip route add blackhole $i; done

Be aware that this may very well block something legitimate. The top IP in this for me is a Sendgrid IP which I suppose is as good as a spammer as any other, but blocking it would be a great way for me to generate a few support tickets for myself and gain nothing for doing so.

 

[cristian]

Thanks for the reply! The attack stopped after 3 days. I've never seen anything like this ... so many connections simultaneously and so three days of non stop siege. Generally, any attack stopped after one or two hours.