# [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" logs



## fonz (Feb 21, 2014)

My mailserver's logs contain lots of the following lines:

```
<timestamp> mail sm-mta[62748]: s1H2MWNN062748: foo.bar.com [<IP address>] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
```
There are over 1,000 such entries from the same hostname/IP within a period of ten minutes or so. Is there any chance this is just a crappy misconfigured server, or is it a spammer trying to abuse my server for relaying?


----------



## wblock@ (Feb 21, 2014)

*Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l*

If it was trying to relay, it would probably have done something.  Possibly a misconfigured spambot.  I'd firewall and forget.  If it turns out they have anything legitimate to say, they can send it through somebody else's working mail server.


----------



## fonz (Feb 21, 2014)

*Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l*

Thanks. `vim /etc/pf.conf` and `service pf restart` it is.


----------



## Chris_H (Mar 13, 2014)

*Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l*

FWIW I see those all the time; in fact, for _years_. The general consensus is that it's a spam(mer|bot) that attempts to "pipeline" the spam from a dictionary's worth of names it hopes to find on your MX. The problem is; they simply open a connection, expecting to be immediately able to start pumping your MX with DATA. In other words; they never wait for the ACK from your MX. _That_ is what ilicits the EXPN/VRFY from your MX.

HTH

--Chris


----------



## fonz (Mar 13, 2014)

*Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l*

@Chris_H, thanks for the background information.


----------



## Chris_H (Mar 13, 2014)

*Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l*

You're _very_ welcome, @fonz.

Thank you, too. For all the help you've given me, in the past 

--Chris


----------



## wblock@ (Mar 13, 2014)

*Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l*



			
				fonz said:
			
		

> Thanks. `vim /etc/pf.conf` and `service pf restart` it is.



`service pf reload` reloads the rules without killing existing connections (like the SSH connection you may be using to change them).


----------



## Chris_H (Mar 13, 2014)

*Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l*

Excellent. That's great to know.

Thanks, @wblock@.

--Chris


----------



## fullauto2012 (Dec 12, 2017)

I have had my SMTP server running for 8 hours.
This is how many of these I have.
Is this normal?
is there a better way to keep up with adding all these IPs to my pf.conf that just grepping for them and manually adding?


```
root@kif:/usr/local/etc/dovecot # date
Tue Dec 12 09:27:28 EST 2017
root@kif:/usr/local/etc/dovecot # cat /var/log/maillog | grep "did not issue" | cut -d "[" -f 1 -f 3
Dec 12 00:01:00 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:05:06 kif sm-mta[193.70.87.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:09:23 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:13:22 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:17:41 kif sm-mta[95.177.213.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:22:00 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:26:01 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:30:07 kif sm-mta[118.219.45.141] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:34:03 kif sm-mta[178.33.107.200] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:38:12 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:42:33 kif sm-mta[203.191.174.55] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:46:24 kif sm-mta[87.98.131.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:50:39 kif sm-mta[213.156.120.22] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:54:46 kif sm-mta[91.237.124.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:58:59 kif sm-mta[91.237.124.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:03:08 kif sm-mta[170.83.76.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:07:11 kif sm-mta[175.136.232.97] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:12:49 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:15:34 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:19:48 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:24:04 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:28:07 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:36:36 kif sm-mta[82.185.149.169] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:40:47 kif sm-mta[95.177.213.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:44:57 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:49:04 kif sm-mta[185.109.169.71] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:53:13 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:57:29 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:01:38 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:05:50 kif sm-mta[200.49.145.161] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:14:13 kif sm-mta[193.70.87.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:18:17 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:22:28 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:26:34 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:30:40 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:38:58 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:43:04 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:47:44 kif sm-mta[137.101.210.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:51:12 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:55:17 kif sm-mta[41.87.95.33] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:59:15 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:03:24 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:07:29 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:11:36 kif sm-mta[191.248.224.38] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:15:39 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:16:49 kif sm-mta[139.162.99.243] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:19:38 kif sm-mta[41.87.95.33] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:23:41 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:31:41 kif sm-mta[178.33.107.200] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:35:54 kif sm-mta[95.59.137.196] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:39:54 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:44:01 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:48:03 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:52:19 kif sm-mta[41.180.72.44] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:56:24 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:00:28 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:04:42 kif sm-mta[2.42.219.63] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:08:40 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:12:59 kif sm-mta[120.150.227.127] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:17:02 kif sm-mta[202.131.203.163] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:21:12 kif sm-mta[149.135.117.174] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:25:14 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:29:27 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:33:33 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:37:43 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:41:58 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:45:55 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:54:13 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:58:15 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:02:29 kif sm-mta[95.59.137.196] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:06:45 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:10:43 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:15:10 kif sm-mta[200.85.52.74] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:19:01 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:23:14 kif sm-mta[190.216.165.6] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:27:21 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:31:36 kif sm-mta[110.145.123.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:35:45 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:36:13 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:40:17 kif sm-mta[88.23.251.86] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:43:53 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:48:27 kif sm-mta[120.150.227.127] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:52:33 kif sm-mta[110.145.123.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:56:41 kif sm-mta[94.46.187.190] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:00:55 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:05:12 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:09:21 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:13:48 kif sm-mta[88.23.251.86] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:21:42 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:25:53 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:28:21 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:30:14 kif sm-mta[181.49.39.70] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:31:25 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:34:29 kif sm-mta[82.185.149.169] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:34:43 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:37:59 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:38:32 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:41:16 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:42:44 kif sm-mta[200.105.132.238] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:44:42 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:46:57 kif sm-mta[94.46.187.190] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:48:26 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:51:06 kif sm-mta[170.83.76.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:51:51 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:55:11 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:55:22 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:58:53 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:59:27 kif sm-mta[185.109.169.71] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:02:14 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:03:39 kif sm-mta[2.42.219.63] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:05:41 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:07:35 kif sm-mta[190.223.59.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:09:01 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:12:27 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:15:49 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:15:49 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:18:58 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:19:50 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:22:24 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:24:01 kif sm-mta[118.219.45.141] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:25:52 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:28:08 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:29:17 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:32:14 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:32:47 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:36:11 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:36:23 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:40:00 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:40:26 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:43:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:44:19 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:46:36 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:48:34 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:49:59 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:52:43 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:53:21 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:56:35 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:56:49 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:59:48 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:01:01 kif sm-mta[220.130.186.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:03:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:05:06 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:06:34 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:09:28 kif sm-mta[24.139.47.5] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:10:02 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:13:23 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:13:24 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:16:46 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:17:35 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:20:10 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:21:34 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:23:31 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:25:41 kif sm-mta[220.130.186.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:26:57 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:29:46 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:30:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:33:40 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:33:47 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:37:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:37:51 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:40:33 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:42:08 kif sm-mta[24.139.47.5] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:44:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:46:02 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:47:43 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:51:14 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:54:18 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:54:31 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:58:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:58:47 kif sm-mta[137.101.210.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:01:33 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:02:17 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:04:56 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:06:26 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:08:30 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:12:04 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:14:40 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:15:23 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:18:33 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:18:51 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:22:16 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:22:42 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:25:42 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:26:47 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
```


----------



## SirDice (Dec 12, 2017)

fullauto2012 said:


> is there a better way to keep up with adding all these IPs to my pf.conf that just grepping for them and manually adding?


security/sshguard, security/py-fail2ban, blacklistd(8) (not sure if sendmail(1) has support for this one though).


----------



## DutchDaemon (Dec 12, 2017)

Note that these can also be SMTP AUTH attacks, which will not be logged as such if you have no authentication mechanisms set up. blacklistd(8) will pick them right out for you.

Use something like
	
	



```
[local]
smtp            stream  *       *               *       3       30d
smtps           stream  *       *               *       3       30d
submission      stream  *       *               *       3       30d
```
 in blacklistd.conf. You *must* use Sendmail from ports with the blacklistd option activated though.


----------



## fullauto2012 (Dec 12, 2017)

SirDice said:


> security/sshguard, security/py-fail2ban, blacklistd(8) (not sure if sendmail(1) has support for this one though).


But, does security/sshguard monitor and help port 25 SMTP?
All I have found is that it works to suppress bruteforce SSH, for which I already have:


```
pass in log quick on $ext_if inet proto tcp from any \
        to { $ext_ip, $localnet } port (OMIT) \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 3/9, \
        overload <bruteforce> flush global)
```


----------



## DutchDaemon (Dec 12, 2017)

sshguard (or Fail2Ban) will not catch these, no; these attacks need to be signalled by the abused application itself, and Sendmail with the blacklistd flag set will actively signal blacklistd to tally an ongoing attack. Sendmail without authentication mechanisms will not log this as an authentication attempt.


----------



## fullauto2012 (Dec 12, 2017)

I am setting up my very FIRST email server. So to say that most of this is over my head is an understatement. EG, although I technically have a working SMTP and POP3, I am still confused as to how this all works. For instance, I am completely confused as to how to configure SMTP authorization and what/how TLS works and why. Is there any 'cut to the chase' documentation either our you can point me to so that I am not forever embarrassing myself on this forum.

What I would like to accomplish by hosting my own email server is to become fairly proficient at installing/configuring sendmail and dovecot while understanding the different auth mechanisms and encryption.  In short, I would eventually like to become as well versed at all aspects of FreeBSD hosting as you guys. And I LOVE to read technical documents (it's both a blessing and a curse).


----------



## DutchDaemon (Dec 12, 2017)

There is no simple shortcut for reading /usr/share/sendmail/cf/README, and testing with /etc/mail/${hostname}.mc followed by a `make all install restart` and a `tail -f /var/log/maillog`. If you want to play with authentication, you will have to use mail/sendmail or package sendmail+tls+sasl2-8.15.2_3. 

TLS is mostly out of the box nowadays, unless you want domain-specific certificates. A standard install will put something like this in your .mc file: 
	
	



```
dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
```
 and it will pre-populate your /etc/mail/certs/ directory -- this will enable TLS without too much ado.


----------



## SirDice (Dec 13, 2017)

fullauto2012 said:


> But, does security/sshguard monitor and help port 25 SMTP?


It can monitor a variety of services, not just SSH. 
https://www.sshguard.net/docs/reference/attack-signatures/



DutchDaemon said:


> sshguard (or Fail2Ban) will not catch these, no;


Not sure if sshguard will catch this specific attack but Fail2Ban can certainly be _made_ to detect them. In this respect Fail2Ban may actually be the best choice as you can create your own detection rules and trigger on custom events.


----------



## fullauto2012 (Dec 13, 2017)

This is going to come off as a bit juvenile, but how is the overhead on Fail2Ban?  This rig is is already painfully slow responding to POP3/SMTP as it is.


----------



## SirDice (Dec 13, 2017)

Not that much, but it's going to depend on the number and complexity of the rules. It does have a bunch of Python dependencies though.



fullauto2012 said:


> This rig is is already painfully slow responding to POP3/SMTP as it is.


That may be the result of all the scans and attempts to relay or bruteforce. Blocking those may improve the situation.


----------



## DutchDaemon (Dec 14, 2017)

I'm pretty sure Fail2Ban will not detect login attempts on a Sendmail installation without SASL or other authentication mechanisms. It is simply not logged as anything other than a 'sudden disconnect'.


----------



## SirDice (Dec 14, 2017)

DutchDaemon said:


> It is simply not logged as anything other than a 'sudden disconnect'.


It sounds like we're talking about different things. I was referring to messages like these:

```
Dec 12 09:26:47 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
```

https://github.com/fail2ban/fail2ban/issues/1699


----------



## DutchDaemon (Dec 14, 2017)

No, that's exactly the message I was referring to; it is impossible to deduct from that error message that it was in fact a failed authentication attempt against a non-authenticating Sendmail - the exact same error message is produced by e.g. a Zabbix agent that queries the host for the availability of port 25 or by a port scan for ports like 25 or 587. Triggering a block on the mere presence of "MAIL/EXPN/VRFY/ETRN" in a maillog will lead to "interesting false positives", and I've been there .. So be careful out there ..


----------



## Chris_H (Jan 9, 2018)

fullauto2012 ,
I feel your pain! I've been fighting _serious_ MX abuse for about 4 half mos, now. In that time I have accumulated ~12 million SPAM/ABUSE sources! Who knew I'd be such a popular target! 
Anyway I *swear* by pf(4) as the _difinitive_ defense against NET related abuse. Not only does it turn the abusers off, it squelches all (most) of the noise in your log(s), and trims traffic; giving you more of that pipe for yourself. Anyway I'll try to give some clues to creating the necessary pf(4) stuff you'll need/want, as well as some scripting to help you automate the entire process. 
first up; you'll want to gather the offending IP's from your maillog, *without* plucking them out manually in your log viewer.
Based on the log output you've posted here; the following should do it for you:

```
#!/bin/sh -

cat /var/log/maillog | grep 'did not issue' | awk '{print $5;}' | sed 's/sm-mta\[//' | sed 's/\]//' | sort -t. +0 -1n +1 -2n +2 -3n +3 -4n | uniq >./SPAMMERS
```
I'd strongly recommend running this from the /tmp folder/directory. So you can experiment, and ensure that it's capturing the addresses properly. If all goes well. Report back, and we'll move on to the next step(s); a pf.conf(5) file, and all the related goodies. OH! I mean report back regardless. 
Ultimately, the above script will gather all the offending IP's, and sort them in a more readable fashoin, where we can ultimately add them to a TABLE for pf(4) to read, so it can deal with them in a manner _you_ find appropriate. 

HTH

--Chris


----------



## stparvu (Feb 16, 2019)

Chris_H said:


> fullauto2012 ,
> 
> first up; you'll want to gather the offending IP's from your maillog, *without* plucking them out manually in your log viewer.
> Based on the log output you've posted here; the following should do it for you:
> ...



Should be:


```
cat /var/log/maillog | grep 'did not issue' | awk '{print $7;}' | sed 's/\[//;s/\]//' | sort -t. +0 -1n +1 -2n +2 -3n +3 -4n | uniq > ./SPAMMERS
```

right ? 

This will return a list of IPs and FQDN names to feed pf. Some questions:

 * what is the most recommended way, which packet filtering firewall to use in FreeBSD 12 ? pf ?

 * how can u automate and feed pf or other friends such list of IPs 

Fighting spam is always fun and instructive


----------



## trev (Feb 17, 2019)

In the never-ending quest to squelch spam, I wrote a sendmail(8) milter (in C) which checks the relay hostname during incoming mail transactions against the regular expression patterns stored in the configuration file and can DISCARD/TEMPFAIL/REJECT the connection per pattern. New patterns can be added without restarting the milter or sendmail(8). If anyone is interested in the source PM me.

Examples from the man page:


```
# Reject relay hostnames matching these regular expressions
[a-z]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3} REJECT
^[0-9]{1,7}hfc[0-9]{1,3}[-.]           REJECT
```

It has run successfully on my FreeBSD systems for some years, and on a couple of high-volume university Solaris and Linux mail servers without issue.


----------



## stparvu (Feb 20, 2019)

Cool.


----------

