terry white wrote: > i'm starting to see a lot of the following. > > and i'm not thinking it a good thing ... > > > muedsl-82-207-247-115.citykom.de [82.207.247.115]: possible SMTP attack: > command=HELO/EHLO, count=3 > IGLD-83-130-135-36.inter.net.il [83.130.135.36]: possible SMTP attack: > command=HELO/EHLO, count=3 > bzq-88-153-185-136.red.bezeqint.net [88.153.185.136]: possible SMTP attack: > command=HELO/EHLO, count=3 > bzq-88-152-204-198.red.bezeqint.net [88.152.204.198]: possible SMTP attack: > command=HELO/EHLO, count=3 > 89.1.170.41.dynamic.barak-online.net [89.1.170.41]: possible SMTP attack: > command=HELO/EHLO, count=3 Nothing worth worrying about. If you run your own inbound mail server, it will inevitably be subjected to various attacks. The above indicates that a client sent 3 or more HELO/EHLO commands (which shouldn't occur in normal use), so sendmail has started throttling the connection. Once a command is issued too many times, sendmail adds a delay to each command that it processes. The delay starts at one second then doubles with each subsequent command, up to a maximum of four minutes. This prevents you getting DoS'd by brute-force attacks. I'm not entirely sure what an attacker can achieve through multiple HELO/EHLO commands. It might be a DoS against a third-party's DNS, or it might be attempting to exploit a flaw in specific MTA software. -- Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx> - To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
