Yesterday, the provider opened port 25 so that my smtp server could send letters itself, without the help of a relay server. And now I looked at the server logs and they greatly increase every second. Requests for POP3 come from some incomprehensible users. marie, jara, sepálveda, rivera, morais, gonzalves, gonzáles, azevedo and other heaps. What my server says that you need to specify the full email name for authorization, or that the password is not suitable.

Why is this happening?

"TCPIP" 5104 "2016-02-06 05:29:12.655" "TCP - 201.27.28.222 connected to 82.151.125.43:110." "DEBUG" 5104 "2016-02-06 05:29:12.655" "TCP connection started for session 7796" "POP3D" 5104 7796 "2016-02-06 05:29:12.655" "201.27.28.222" "SENT: +OK POP3" "POP3D" 2452 7771 "2016-02-06 05:29:12.655" "201.27.28.222" "RECEIVED: QUIT" "POP3D" 2452 7771 "2016-02-06 05:29:12.655" "201.27.28.222" "SENT: +OK POP3 server saying goodbye..." "DEBUG" 2452 "2016-02-06 05:29:12.655" "Ending session 7771" "POP3D" 5104 7786 "2016-02-06 05:29:12.655" "201.27.28.222" "RECEIVED: USER molina" "POP3D" 5104 7786 "2016-02-06 05:29:12.655" "201.27.28.222" "SENT: +OK Send your password" "POP3D" 2452 7778 "2016-02-06 05:29:12.670" "201.27.28.222" "RECEIVED: PASS ***" "POP3D" 4740 7773 "2016-02-06 05:29:12.670" "201.27.28.222" "RECEIVED: QUIT" "POP3D" 4740 7773 "2016-02-06 05:29:12.670" "201.27.28.222" "SENT: +OK POP3 server saying goodbye..." "DEBUG" 1520 "2016-02-06 05:29:12.670" "Ending session 7773" "POP3D" 2452 7778 "2016-02-06 05:29:12.670" "201.27.28.222" "SENT: -ERR Invalid user name or password. Please use full email address as user name." "POP3D" 5104 7785 "2016-02-06 05:29:12.670" "201.27.28.222" "RECEIVED: USER arias" "POP3D" 5104 7785 "2016-02-06 05:29:12.670" "201.27.28.222" "SENT: +OK Send your password" "POP3D" 2452 7777 "2016-02-06 05:29:12.670" "201.27.28.222" "RECEIVED: PASS ***" "POP3D" 2452 7777 "2016-02-06 05:29:12.670" "201.27.28.222" "SENT: -ERR Invalid user name or password. Please use full email address as user name." "POP3D" 4740 7772 "2016-02-06 05:29:12.670" "201.27.28.222" "RECEIVED: QUIT" "POP3D" 4740 7772 "2016-02-06 05:29:12.670" "201.27.28.222" "SENT: +OK POP3 server saying goodbye..." "DEBUG" 5104 "2016-02-06 05:29:12.670" "Ending session 7772" "DEBUG" 5104 "2016-02-06 05:29:12.670" "Creating session 7798" "TCPIP" 5104 "2016-02-06 05:29:12.670" "TCP - 201.27.28.222 connected to 82.151.125.43:110." "DEBUG" 5104 "2016-02-06 05:29:12.670" "TCP connection started for session 7797" "POP3D" 5104 7797 "2016-02-06 05:29:12.670" "201.27.28.222" "SENT: +OK POP3" "POP3D" 4740 7770 "2016-02-06 05:29:12.670" "201.27.28.222" "RECEIVED: QUIT" "POP3D" 4740 7770 "2016-02-06 05:29:12.670" "201.27.28.222" "SENT: +OK POP3 server saying goodbye..." "DEBUG" 2452 "2016-02-06 05:29:12.670" "Ending session 7770" "POP3D" 4740 7787 "2016-02-06 05:29:12.686" "201.27.28.222" "RECEIVED: USER aguirre" "POP3D" 4740 7787 "2016-02-06 05:29:12.686" "201.27.28.222" "SENT: +OK Send your password" "POP3D" 2452 7784 "2016-02-06 05:29:12.702" "201.27.28.222" "RECEIVED: USER rossi" "POP3D" 2452 7784 "2016-02-06 05:29:12.702" "201.27.28.222" "SENT: +OK Send your password" "POP3D" 4740 7779 "2016-02-06 05:29:12.702" "201.27.28.222" "RECEIVED: PASS ***" "POP3D" 4740 7779 "2016-02-06 05:29:12.702" "201.27.28.222" "SENT: -ERR Invalid user name or password. Please use full email address as user name." "POP3D" 2452 7788 "2016-02-06 05:29:12.717" "201.27.28.222" "RECEIVED: USER ramz" "POP3D" 2452 7788 "2016-02-06 05:29:12.717" "201.27.28.222" "SENT: +OK Send your password" Включил TLS требование и через некоторое время запросы прекратились. Сейчас больше не приходят, вот последние строки логов. "POP3D" 4232 10249 "2016-02-06 05:31:00.639" "201.27.28.222" "RECEIVED: USER nъсez" "POP3D" 4232 10249 "2016-02-06 05:31:00.639" "201.27.28.222" "SENT: -ERR STLS is required." "POP3D" 4764 10250 "2016-02-06 05:31:00.686" "201.27.28.222" "RECEIVED: USER hernбndez" "POP3D" 4764 10250 "2016-02-06 05:31:00.686" "201.27.28.222" "SENT: -ERR STLS is required." "POP3D" 1588 10251 "2016-02-06 05:31:00.702" "201.27.28.222" "RECEIVED: USER gonzбles" "POP3D" 1588 10251 "2016-02-06 05:31:00.702" "201.27.28.222" "SENT: -ERR STLS is required." "POP3D" 4232 10252 "2016-02-06 05:31:00.733" "201.27.28.222" "RECEIVED: USER gуnzalez" "POP3D" 4232 10252 "2016-02-06 05:31:00.733" "201.27.28.222" "SENT: -ERR STLS is required." "TCPIP" 4232 "2016-02-06 05:32:06.983" "TCP - 91.238.230.133 connected to 82.151.125.43:25." "DEBUG" 4232 "2016-02-06 05:32:06.983" "TCP connection started for session 10077" "SMTPD" 4232 10077 "2016-02-06 05:32:06.983" "91.238.230.133" "SENT: 220 smtp.site.ru" "SMTPD" 3060 10077 "2016-02-06 05:32:06.999" "91.238.230.133" "RECEIVED: EHLO User" "SMTPD" 3060 10077 "2016-02-06 05:32:06.999" "91.238.230.133" "SENT: 250-WIN-3OS58V5F8UK[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN PLAIN[nl]250 HELP" "SMTPD" 4784 10077 "2016-02-06 05:32:07.014" "91.238.230.133" "RECEIVED: AUTH LOGIN" "SMTPD" 4784 10077 "2016-02-06 05:32:07.014" "91.238.230.133" "SENT: 334 VXNlcm5hbWU6" "SMTPD" 3432 10077 "2016-02-06 05:32:07.030" "91.238.230.133" "RECEIVED: c3FsZXhlYw==" "SMTPD" 3432 10077 "2016-02-06 05:32:07.030" "91.238.230.133" "SENT: 334 UGFzc3dvcmQ6" "SMTPD" 4784 10077 "2016-02-06 05:32:07.045" "91.238.230.133" "RECEIVED: ***" "SMTPD" 4784 10077 "2016-02-06 05:32:07.045" "91.238.230.133" "SENT: 535 Authentication failed. Restarting authentication process." "SMTPD" 4232 10077 "2016-02-06 05:32:07.061" "91.238.230.133" "RECEIVED: QUIT" "SMTPD" 4232 10077 "2016-02-06 05:32:07.061" "91.238.230.133" "SENT: 221 goodbye" "DEBUG" 4784 "2016-02-06 05:32:07.061" "Ending session 10077"
  • Unclear. The text refers to the SMTP server and port 25. And the question itself and the logs talk about POP3 and port 110. - Yaant
  • @Yaant Well, there is a smtp server and a pop3 (and imap) server. Prior to this, the smtp server worked through the provider's relay server and the external port 25 of the provider was closed (and my vds was open on my vds), and now it sends letters to others. And bots connect to pop3. - manking
  • 2
    @manking I think a provider other than 25 opened and port 110, but before that it was closed and you did not see constant attempts to enter. This is a completely normal situation on the Internet today, constantly connecting to any service is trying to be hacked, etc. If you don't have pop3 clients outside, then close port 110 with firewall - Mike

2 answers 2

There is an attempt to break the mailer.

  • What for? And how to understand where it comes from, is it automatic or human? What to do to prevent this from happening? - manking
  • 2
    @manking Why? To then with your postman spam. Automatic or man? Automatic, of course! All this has long been automated. From where From the botnet, "spread" around the world. What to do to avoid it? Close the port back. - user194374
  • @kff But I turned on TLS and they no longer come. So with TLS they will not try to hack or will they? - manking
  • one
    will not necessarily today or tomorrow. You can recommend locking tools such as fail2ban for Linux. Then hacking attempts are minimized - maint
  • 2
    @manking Having published any service on the Internet, be prepared for hacking attempts in advance. From you never lag behind. - user194374

Change the port to non-standard and look at the result. For example 110 on 9110. Of course, the prov should open this port for you.

  • Try to write more detailed answers. Explain what is the basis of your statement? - Nicolas Chabanovsky