Kerio Connect: Messages in the Security Log and what they mean

Find below a list of messages that can appear in the security log of Kerio Connect 8.0 and what they mean:

SMTP Spam attack detected from 85.51.174.157, client closed connection before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) for the SMTP greeting. It closed the connection too early. This is indicative of bot net Spam as normal mail servers would not do that.

SMTP Spam attack detected from 69.94.153.232, client sent data before SMTP greeting

This message only appears if Spam Repellent is switched on. It means that the client (sending mail server) hasn't waited the 25 seconds (or whatever is configured in Spam Repellent) until the SMTP greeting appears. It has started to send commands (such as HELO) and data too early. This is indicative of bot net Spam as normal mail servers would not do that.

IP address 93.85.133.206 found in DNS blacklist SPAMHAUS ZEN, mail from <sendername@senderdomain.com> to <myname@mydomain.org> rejected

The IP address of the client (sending mail server) is in the indicated black list and is blocked immediately. It will not be allowed to transmit the mail.

IP address 72.9.146.151 found in DNS blacklist UCEPROTECT L1, mail from <sendername@senderdomain.com> to <myname@mydomain.org>

The IP address of the client (sending mail server) is in the indicated black list, but it is allowed to be delivered. Some Spam score will be added to the message.

Relay attempt from IP address 72.9.146.151, mail from <sendername@senderdomain.com> to <recipient@notmydomain.net> rejected

As the recipient domain is not a domain that the mail server is responsible for it will discard the message. If the client had authenticated, the message would have been allowed. This is to prevent relaying of Spam.

Message from IP address 195.245.231.144, sender <sendername@mydomain.org> rejected: sender domain requires authentication

As the sender domain is hosted on the mail server, the client must authenticate to send the message. This is to prevent sender address spoofing. Without authentication, the message is blocked.

Message from IP address 186.28.185.93, sender <sendername@senderdomain.com> rejected: sender domain does not exist

The message is blocked because the sender domain does not exist.

Message from IP address 72.38.232.36, sender <sendername@senderdomain.com> temporarily rejected: sender domain does not resolve

The message is temporarily blocked because the sender domain does not resolve. This means that the domain exists, but the authoritative DNS servers are not responding.

Attempt to deliver to unknown recipient <unknown@mydomain.org>, from <sendername@senderdomain.com>, IP address 217.200.184.87

The message is blocked as there is no recipient with that name on  the recipient domain.

Client with IP address 202.85.222.166 has no reverse DNS entry, connection rejected before SMTP greeting

The IP address of the client (sending mail server) has no reverse DNS entry (PTR record), the message is blocked. A valid mail server must have a reverse DNS entry.

SPF check failed: The IP address '210.68.71.113' is not in permitted set for sender 'sendername@senderdomain.com' (FAIL)

The sender domain has an SPF (Sender Policy Framework) record setup in its DNS and it indicates that the client IP address is not a valid sender for that domain. The message is accepted but a Spam score is added to it.

Message from <sendername@routemails.top> rejected by header filter: From address contains domain *.top

A custom anti-spam rule has been set up to reject mails that meet a certain criteria. In this example, any mail where the sender uses the .top TLD is rejected.

Leave a Reply

Your email address will not be published. Required fields are marked *