TCPIP "connected to" message

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
sergiortc
Normal user
Normal user
Posts: 47
Joined: 2017-08-09 23:22

TCPIP "connected to" message

Post by sergiortc » 2020-06-22 18:31

I've been registering TCPIP messages of the form:

Code: Select all

"TCPIP"	1444	"2020-06-20 00:03:01.352"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:03:03.571"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:03:32.055"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:03:34.899"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:02.727"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:06.289"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:33.399"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:37.649"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1228	"2020-06-20 00:05:01.196"	"TCP - 76.108.196.78 connected to MyServerIPHere:110."
"TCPIP"	1444	"2020-06-20 00:05:04.055"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
In just one day 2801 times from 212.70.149.82 and 2740 times from 212.70.149.50.
Can anyone tell me what is the exact meaning of this message? in which way are those IPs connected to MyServerIPHere?
Is there something I can do to avoid this?
Thank you.

User avatar
johang
Senior user
Senior user
Posts: 323
Joined: 2008-09-01 09:20

Re: TCPIP "connected to" message

Post by johang » 2020-06-23 00:48

sergiortc wrote:
2020-06-22 18:31
I've been registering TCPIP messages of the form:

Code: Select all

"TCPIP"	1444	"2020-06-20 00:03:01.352"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:03:03.571"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:03:32.055"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:03:34.899"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:02.727"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:06.289"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:33.399"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP"	1444	"2020-06-20 00:04:37.649"	"TCP - 212.70.149.50 connected to MyServerIPHere:25."
"TCPIP"	1228	"2020-06-20 00:05:01.196"	"TCP - 76.108.196.78 connected to MyServerIPHere:110."
"TCPIP"	1444	"2020-06-20 00:05:04.055"	"TCP - 212.70.149.82 connected to MyServerIPHere:25."
In just one day 2801 times from 212.70.149.82 and 2740 times from 212.70.149.50.
Can anyone tell me what is the exact meaning of this message? in which way are those IPs connected to MyServerIPHere?
Is there something I can do to avoid this?
Thank you.
"TCPIP" 1444 "2020-06-20 00:04:33.399" "TCP - 212.70.149.82 connected to MyServerIPHere:25."
"TCPIP" 1444 "2020-06-20 00:04:37.649" "TCP - 212.70.149.50 connected to MyServerIPHere:25."

they connect to your port 25 ( SMTP )

if you enable "SMTP" to log you can read what they do ..
___________________________________________________________end of the line
spam filter appliance gateway: www.mailcleaner.org

User avatar
mattg
Moderator
Moderator
Posts: 21042
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TCPIP "connected to" message

Post by mattg » 2020-06-23 05:02

and perhaps add more logging to see if they are testing your server for security, or perhaps doing a dictionary attack trying to guess passwords
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
johang
Senior user
Senior user
Posts: 323
Joined: 2008-09-01 09:20

Re: TCPIP "connected to" message

Post by johang » 2020-06-23 16:04

sergiortc wrote:
2020-06-22 18:31
Is there something I can do to avoid this?
if your mailserver is on internet ... anyone and all can reach it ..


autoban will place offending IP in quarantine ( as per whatever your configuration is.. personally i lock them out for a year )
but that does not stop them from trying to connect and show up in your hmailserver-log

on this forum you can find ways of putting those IPs into the firewall of your windows machine, they will still try to connect .. but they wont get into hmailserver log
and if you have firewall/router outside of that .. you could always filter away those IPs even further out


i think i manually in my windows firewall, blocked that /24 a month ago myself ..
https://apps.db.ripe.net/db-web-ui/quer ... ource=RIPE
___________________________________________________________end of the line
spam filter appliance gateway: www.mailcleaner.org

sergiortc
Normal user
Normal user
Posts: 47
Joined: 2017-08-09 23:22

Re: TCPIP "connected to" message

Post by sergiortc » 2020-06-26 18:45

Thank you, Johang and mattg.
I will add more login and try to dig further.

sergiortc
Normal user
Normal user
Posts: 47
Joined: 2017-08-09 23:22

Re: TCPIP "connected to" message

Post by sergiortc » 2020-07-08 19:30

I enabled for an hour Debug Log and found that virtually all messages of the type

"TCPIP" 1444 "2020-06-20 00:03:01.352" "TCP - 212.70.149.82 connected to MyServerIPHere:25."

Are followed by the message:

"Client connection from 212.70.149.82 was not accepted. Blocked either by IP range or by connection limit."

Only valid users are being allowed to connect successfully.

Thanks.

User avatar
RvdH
Senior user
Senior user
Posts: 1113
Joined: 2008-06-27 14:42
Location: Netherlands

Re: TCPIP "connected to" message

Post by RvdH » 2020-07-08 20:41

CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply