David Ellsmore wrote:
John Hinton wrote:
Log report is reporting a lot of these lately.. following is just a
short snippet from the beginning on one server.
WARNING!!!!
Possible Attack:
Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 144.Red-80-34-151.staticIP.rima-tde.net
[80.34.151.144] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Could anyone expand on what these folks are actually doing? And if I
should be concerned?
To me it looks like something/someone looking for valid email
addresses - perhaps to use in an effort to defeat spam filters. It'd
be interesting to see what sort of conversation takes place between
your server and the attacker, and how close together time wise these
are occuring.
I notice the first 5 warnings are from the Czech Republic, and the
last one is from Spain. Are you getting these from world wide
addresses or just these two countries?
I just snipped out the first five so as not to clog the list. They are
mostly coming from the baltic region of the world (what the heck country
is a .il tld?)... a lot from that one. But also a fair representation
from the largest spamming network in the world.. verizon who doesn't
care one bit.
Almost in every case, they are making three attempts.. but I have
sendmail set to pause receiving from a network after 2 bad attempts, so
maybe this would be worse without that entry? I don't really know the
flow of attempts like this on my system.
define(`confBAD_RCPT_THROTTLE', `2')dnl
Best,
John Hinton
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
