Re: [exim] Exim log being flooded with strange attack

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJohn Beaumont at <-
Mexim-users at ->
Delete this message
Reply to this message
Author: John Beaumont
Date:  
To: exim-users
Subject: Re: [exim] Exim log being flooded with strange attack
Anyone??

I'm still seeing a lot of this each day. Nearly all of it from Brazilian
broadband IPs.

More generally what does this TLS error mean?

Very grateful for any replies!

On 14 October 2012 00:45, John Beaumont <john@???> wrote:

> Exim version 4.74
> TLS plain and login on port 465
>
> My exim server has been running happily for about 6 months. Hack attempts
> are rare, I haven't needed to bother with fail2ban in all that time.
>
> However about 7 days ago I started to notice something appearing regularly
> in the mainlog.
>
> TLS error on connection from [xxx.xxx.xxx.xxx] (recv): A record packet
> with illegal version was received.
> 2012-10-14 00:26:51 TLS error on connection from [xxx.xxx.xxx.xxx] (send):
> The specified session has been invalidated for some reason.
>
> The frequency was roughly about 1 a minute usually from Chinese or
> Brazillian IP's. By today (14-oct) my server was being hammered with these
> messages from IPs all over the world. Ten to twenty a second. The server
> was becoming sluggish and I had to put in a fail2ban regex to put a stop to
> it all. 243 IPs were banned in 5 minutes, with about 10 to 20 new ones
> being banned every hour since.
>
> Does anyone know what this new attack is? Is there a new piece of malware
> out there looking for trouble on port 465? I never saw anything like this
> before until last week.
>
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Exim4 in send outgoing mode onlyRe: [exim] Exim log being flooded with strange attack->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)