From nobody Fri Feb 6 22:07:51 2026 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f77WL52DKz6Qcrb for ; Fri, 06 Feb 2026 22:07:58 +0000 (UTC) (envelope-from johnl@iecc.com) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "gal.iecc.com", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f77WL2GLNz3yvS for ; Fri, 06 Feb 2026 22:07:58 +0000 (UTC) (envelope-from johnl@iecc.com) Authentication-Results: mx1.freebsd.org; none Received: (qmail 99989 invoked from network); 6 Feb 2026 22:07:52 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=1869169866638.k2602; t=1770415662; x=1770761262; bh=2mRAd9zJhOOlgY1lCTffxsVU9zLo5b0jndRasG1/PlI=; b=KzvP7V7EOCpJc2hPs+epa0djeYchWKNLOzJBh9AV1chcQJFIHFU1fMtV3pLyGFU5X35GvWEwTswZEeebUIlmZ/jqd4lUkGd3stBFn6oBFukiP/186LaMHhI842B7zo8cWO3xrkApJcPmVs9gbmeedPvq5aHbul38uzxE2OAg0fHMmIFam5Y3gGMeHz2RKqRdWY7S0X3aA+NGf9wgw8w5BpO2nZImAvLWAv7ejJh8uwdeAc0gwtvGdRDVa6ShLFDgKSg4oSGSUvoZSM3Wc2+eU3w6oDOuPEvNTNvJZztsezr3faujl3Pmm9Yh06tGJrKn6ti+lwzQWTN071/idV9+RQ== Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 06 Feb 2026 22:07:51 -0000 Received: by ary.qy (Postfix, from userid 501) id 62F37F567CEE; Fri, 6 Feb 2026 17:07:51 -0500 (EST) Date: 6 Feb 2026 17:07:51 -0500 Message-Id: <20260206220751.62F37F567CEE@ary.qy> From: "John Levine" To: freebsd-questions@freebsd.org Cc: bc979@lafn.org Subject: Re: Strange sockstat entries In-Reply-To: <2133E787-9AF9-4999-83DC-83B4C0CABD32@lafn.org> Organization: Taughannock Networks References: <2133E787-9AF9-4999-83DC-83B4C0CABD32@lafn.org> X-Headerized: yes Cleverness: minimal List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Rspamd-Queue-Id: 4f77WL2GLNz3yvS X-Spamd-Bar: ---- It appears that Doug Hardie said: >I am seeing a number of unusual sockstat entries that look like: > >?? ?? ?? ?? tcp4 10.0.1.230:587 178.16.54.22:63001 > >The occur at the end of the output. Often there are about 10 or so entries. Most of them vanish after a few seconds. However, two are quite persistent. What >causes this type of entry? Port 587 is mail submission, so that's a spambot trying to break into your mail server. I see lots of them on my submission server. Unless you have usernames and passwords that are trivially guessable, they shouldn't be a problem. I also see them on port 25 so I added a feature to my mail server so that AUTH on port 25 always succeeds, and it puts the mail they try to send into the spam trap. I get far more of those. -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly