"Too many unrecognized commands" in email server

d19dotca

I did a search but don't see any posts yet on Too many unrecognized commands. I recently found two log entries today back to back on the "Denied" filter. What does this mean, out of curiosity? I've never seen it before.

Connection from 192.210.232.91 denied. Too many unrecognized commands

Here's a sample log entry for it:

{
  "ts": 1616817378209,
  "type": "denied",
  "direction": "inbound",
  "uuid": "",
  "remote": {
    "ip": "192.210.232.91",
    "port": 57734,
    "host": "192-210-232-91-host.colocrossing.com",
    "info": "192-210-232-91-host.colocrossing.com",
    "closed": false,
    "is_private": false,
    "is_local": false
  },
  "authUser": null,
  "mailFrom": null,
  "rcptTo": null,
  "details": {
    "relaying": false,
    "pluginName": "limit",
    "errorCode": 909,
    "message": "Too many unrecognized commands",
    "rejectionCountLastHour": 0
  }
}

Judging by the host name, it seems spammy in nature.

I read http://www.experts123.com/q/what-does-the-error-too-many-unrecognized-commands-mean.html and https://wiki.contribs.org/Qpsmtpd:count_unrecognized_commands and they seems to suggest the root cause is abuse coming from an HTTP proxy / server to my mail server.

Is this something I need to be concerned with, or anything I need to do at this point? Or is it basically fully handled by Haraka so no need to go further on it? Just trying to determine if I need to have a bit of a backup plan in case it continues or gets worse down the road.

(maybe this should be under the Discussion category, wasn't certain)

girish

@d19dotca That string comes from the limit plugin we use in Haraka - https://github.com/haraka/haraka-plugin-limit#unrecognized_commands . Usually, it is a mail client connecting to the server and sending commands that the server is not expecting. It's hard to tell from the log itself as to what the commands are, one has to look into the logs and sometimes one has to raise haraka debug level to data (but these cause logs to be super verbose).

d19dotca

@girish said in "Too many unrecognized commands" in email server:

https://github.com/haraka/haraka-plugin-limit#unrecognized_commands

Awesome. Thanks Girish. I guess that's good then, sounds like it's doing it's job properly so I won't worry too much. I was just wondering if I needed a bit of a "backup plan" in case it got worse or indicated a kind of "attack", but seems that may not be the case as I haven't seen too many of them yet, just a handful.

girish

@d19dotca it's not a problem. Just the natue of any service being exposed to the internet. There a bots, misconfigured services, compromised iot devices doing all sorts of things. Nothing to worry.