On Thu, 20 Sep 2012, James B. Byrne wrote:
Recently we began seeing lots of these log entries on our off-site
mx smtp host. I have googled this but I am not clear from what I
have read if this is something we can stop altogether or should even
worry about.
WARNING!!!! Possible Attack:
Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net
[83.50.106.104] with:
command=HELO/EHLO, count=3: 1 Time(s)
My understanding is that this is indicative of a (almost certainly
malicious) SMTP client trying different HELO or EHLO identities within
the same session. Sendmail is hard-coded to reject the connection
after three HELO/EHLO commands.
So you've got a dynamic address (83.50.106.104) trying to identify
itself as three different hostnames -- and finally Sendmail gets angry
and slams the door.
If you've configured a blacklist service like spamhaus, you're likely
to see the 'possible SMTP attack' warning shortly after Sendmail has
already rejected mail from the remote host, e.g.,
Aug 19 11:45:01 myserv sendmail[16804]: ruleset=check_relay,
arg1=ill90.internetdsl.tpnet.pl, arg2=127.0.0.4,
relay=ill90.internetdsl.tpnet.pl [79.190.37.90], reject=550 5.7.1
mail rejected - see http://www.spamhaus.org/
Aug 19 11:45:02 myserv sendmail[16804]: q7JIj1pM016804:
ill90.internetdsl.tpnet.pl [79.190.37.90]: possible SMTP attack:
command=HELO/EHLO, count=3
--
Paul Heinlein
heinlein@xxxxxxxxxx
45°38' N, 122°6' W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
