Log report is reporting a lot of these lately.. following is just a short snippet from the beginning on one server.
WARNING!!!! Possible Attack: Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] with: command=HELO/EHLO, count=3 : 1 Time(s)
Could anyone expand on what these folks are actually doing? And if I should be concerned?
This is happening on both my CentOS 3 and 4 systems, all running Sendmail.
Thanks, John Hinton
John Hinton wrote:
Log report is reporting a lot of these lately.. following is just a short snippet from the beginning on one server.
WARNING!!!! Possible Attack: Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] with: command=HELO/EHLO, count=3 : 1 Time(s)
Could anyone expand on what these folks are actually doing? And if I should be concerned?
To me it looks like something/someone looking for valid email addresses - perhaps to use in an effort to defeat spam filters. It'd be interesting to see what sort of conversation takes place between your server and the attacker, and how close together time wise these are occuring.
I notice the first 5 warnings are from the Czech Republic, and the last one is from Spain. Are you getting these from world wide addresses or just these two countries?
David Ellsmore wrote:
John Hinton wrote:
Log report is reporting a lot of these lately.. following is just a short snippet from the beginning on one server.
WARNING!!!! Possible Attack: Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] with: command=HELO/EHLO, count=3 : 1 Time(s)
Could anyone expand on what these folks are actually doing? And if I should be concerned?
To me it looks like something/someone looking for valid email addresses - perhaps to use in an effort to defeat spam filters. It'd be interesting to see what sort of conversation takes place between your server and the attacker, and how close together time wise these are occuring.
I notice the first 5 warnings are from the Czech Republic, and the last one is from Spain. Are you getting these from world wide addresses or just these two countries?
I just snipped out the first five so as not to clog the list. They are mostly coming from the baltic region of the world (what the heck country is a .il tld?)... a lot from that one. But also a fair representation from the largest spamming network in the world.. verizon who doesn't care one bit.
Almost in every case, they are making three attempts.. but I have sendmail set to pause receiving from a network after 2 bad attempts, so maybe this would be worse without that entry? I don't really know the flow of attempts like this on my system.
define(`confBAD_RCPT_THROTTLE', `2')dnl
Best, John Hinton
Quoting John Hinton webmaster@ew3d.com:
David Ellsmore wrote:
John Hinton wrote:
Log report is reporting a lot of these lately.. following is just a short snippet from the beginning on one server.
WARNING!!!! Possible Attack: Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] with: command=HELO/EHLO, count=3 : 1 Time(s)
Could anyone expand on what these folks are actually doing? And if I should be concerned?
To me it looks like something/someone looking for valid email addresses - perhaps to use in an effort to defeat spam filters. It'd be interesting to see what sort of conversation takes place between your server and the attacker, and how close together time wise these are occuring.
I notice the first 5 warnings are from the Czech Republic, and the last one is from Spain. Are you getting these from world wide addresses or just these two countries?
I just snipped out the first five so as not to clog the list. They are mostly coming from the baltic region of the world (what the heck country is a .il tld?)... a lot from that one. But also a fair representation from the largest spamming network in the world.. verizon who doesn't care one bit
The .il TLD is Israel.
Almost in every case, they are making three attempts.. but I have sendmail set to pause receiving from a network after 2 bad attempts, so maybe this would be worse without that entry? I don't really know the flow of attempts like this on my system.
Just ignore them. If you were to increase logging level, you'd see that first two attempts were either empty or using URL-like argument precded by a bar (attempts EHLO, than HELO). After that it reattempts with real host name, but by that time the count gets to three and Sendmail logs the warning.
On Fri, 2006-11-10 at 09:45 -0500, John Hinton wrote:
Log report is reporting a lot of these lately.. following is just a short snippet from the beginning on one server.
WARNING!!!! Possible Attack: Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: command=HELO/EHLO, count=3 : 1 Time(s) Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] with: command=HELO/EHLO, count=3 : 1 Time(s)
Could anyone expand on what these folks are actually doing? And if I should be concerned?
This is happening on both my CentOS 3 and 4 systems, all running Sendmail.
Not sure but I do know that hosts on the rima-tde.net network always try to send me tons of spam and rima-tde.net does not act upon any spam report. My logs show that rima-tde.net and tpnet.pl score top place when it comes to spam attempts from European hosts. Haven't seen iol.cz in my logs but I will keep an eye on them too.
Regards, Patrick
-
Aleksandar Milivojevic -
David Ellsmore -
John Hinton -
Patrick