Today I checked logs on my server and noticed that there are so many logs like:
2015-04-13 13:08:47 no host name found for IP address 210.51.188.252
2015-04-13 13:08:47 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[210.51.188.252] input=".\n\n"
2015-04-13 13:08:48 no host name found for IP address 210.51.188.252
2015-04-13 13:08:48 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[210.51.188.252] input=".\n\n"
2015-04-13 13:08:49 no host name found for IP address 210.51.188.252
2015-04-13 13:08:49 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[210.51.188.252] input=".\n\n"
2015-04-13 13:08:50 no host name found for IP address 210.51.188.252
2015-04-13 13:08:50 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[210.51.188.252] input=".\n\n"
Probably this looks like some kind of attack. How to avoid/secure this ?
Best Answer
These messages are likely from a spambot that is being blocked. It is unlikely to be an attack, although I have been experiencing some AUTH cracking attempts recently. This spam is being blocked at it is sending a command before your server has sent its banner. This is desirable behavior as it limits load on your server processing and filtering spam messages.
You could limit log messages by blocking this IP at the firewall, or by adjusting the log parameters. I would avoid manually blocking IP addresses, the the log messages are useful for monitoring spam traffic. I do use fail2ban rules that temporarily firewall servers like this one.
Unless the server is extremely misbehaved, I would expect the message to pass eventually. If you are not running a caching DNS server for your mail host, I would recommend configuring one. It should help with DNS lookups, as they can be repeated multiple times for the same message.