ohprs.org is our domain, this
is the Ohio Highway Patrol Retirement System. I am subscribed with mxtoolbox.com which provides a similar service to your suggested mailradar.com.
Here's a possibility ...
In digging into the logfiles I noticed a one-to-one
timestamp correlation between the saslauthd messages in /var/log/messages and messages in /var/log/maillog. For example, for the message shown in my OP in /var/log/messages posted at Feb 17 00:06:24, I have a time-corresponding message in /var/log/maillog:
Code:
Feb 17 00:06:24 mail sm-mta[31592]: v1H56NAR031592: [94.102.56.181] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
I'm thinking these are related. It's not a perfect one-to-one, but some of the saslauthd messages that are clustered together (within a few seconds of each other) have the message in /var/log/maillog:
Code:
Feb 13 02:44:23 mail sm-mta[28228]: v1D7iHdr028228: [222.110.153.146]: possible SMTP attack: command=AUTH, count=5
followed by a "did not issue" message, which I'm guessing means that the perpetrator can try several times within some time range or retry range (notice the "count=5" bit) before the attempt is logged in maillog.
If what I'm observing is correct, these saslauthd failures
do ultimately make it to maillog, but there is no obvious correlation between the log events, other than this not-always-one-to-one timestamp correlation.
What do you think?