Date: Fri, 6 Feb 2026 14:58:46 -0800 From: Doug Hardie <bc979@lafn.org> To: John Levine <johnl@iecc.com> Cc: freebsd-questions@freebsd.org Subject: Re: Strange sockstat entries Message-ID: <2349FBE5-CC35-425F-8D83-18C5AD9EFAAA@lafn.org> In-Reply-To: <20260206220751.62F37F567CEE@ary.qy> References: <2133E787-9AF9-4999-83DC-83B4C0CABD32@lafn.org> <20260206220751.62F37F567CEE@ary.qy>
index | next in thread | previous in thread | raw e-mail
> On Feb 6, 2026, at 14:07, John Levine <johnl@iecc.com> wrote: > > It appears that Doug Hardie <bc979@lafn.org> said: >> I am seeing a number of unusual sockstat entries that look like: >> >> ?? ?? ?? ?? tcp4 10.0.1.230:587 178.16.54.22:63001 >> >> The occur at the end of the output. Often there are about 10 or so entries. Most of them vanish after a few seconds. However, two are quite persistent. What >> causes this type of entry? > > Port 587 is mail submission, so that's a spambot trying to break into your mail server. > > I see lots of them on my submission server. Unless you have usernames and passwords that are trivially guessable, > they shouldn't be a problem. > > I also see them on port 25 so I added a feature to my mail server so that AUTH on port 25 always succeeds, and > it puts the mail they try to send into the spam trap. I get far more of those. That's the case for why the connection was originally established. However, many of them are not that. They are between my Freebsd servers. Those are not attacking. The real question is why those 4 sets of ?? instead of real values. What is causing that. -- Doughome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2349FBE5-CC35-425F-8D83-18C5AD9EFAAA>