On 02/08/2019 15:07, Fred Smith wrote: > > and I didn't even mention the huge number of failed attempts on port > 25. /var/log/maillog is full of systems trying to send spam, or trying > to DOS me with incompleted connection attempts, or just plain spamming > with mail for addresses not at this system. The little light on the > network switch serving this machine hardly ever stops blinking with all > the traffic hitting it. > > One thing I don't understand is how/why the firewall is DROPping so > many attempts on port 25 when it in fact has a port forward rule > sending port 25 on to my mailserver. How does it know, or why does > it think that some of them can be dropped at the outer barrier? Some spamming tools are just telnet with an expect script, lightweight and can be loaded onto embedded systems, e.g. other firewalls / modems etc... A downside of using these tools is that telnet sets the PUSH TCP flag, so many firewalls (e.g. Cisco ASA) have protocol inspection for SMTP and signals the connection as invalid. if it uses the PUSH TCP flag, which a proper SMTP daemon wouldn't use for that protocol (PUSH flags ask the server to service the sent data, even if it hasn't finished with a CR/LF)