Recently we began seeing lots of these log entries on our off-site mx smtp host. I have googled this but I am not clear from what I have read if this is something we can stop altogether or should even worry about.
Comments?
Logwatch. . .
--------------------- sendmail Begin ------------------------
SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS ------------------------------------------
WARNING!!!! Possible Attack: Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net [83.50.106.104] with: command=HELO/EHLO, count=3: 1 Time(s)
James B. Byrne wrote:
Recently we began seeing lots of these log entries on our off-site mx smtp host. I have googled this but I am not clear from what I have read if this is something we can stop altogether or should even worry about.
Comments?
I'm not real good with smtp, but it looks as though someone from Spain is trying to directly connect to your smtp server. Unless you know that they're legitimately using your system, I'd block that IP now.
fail2ban's your friend....
mark
Logwatch. . .
--------------------- sendmail Begin ------------------------
SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS
WARNING!!!! Possible Attack: Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net [83.50.106.104] with: command=HELO/EHLO, count=3: 1 Time(s)
-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 20 Sep 2012, James B. Byrne wrote:
Recently we began seeing lots of these log entries on our off-site mx smtp host. I have googled this but I am not clear from what I have read if this is something we can stop altogether or should even worry about.
WARNING!!!! Possible Attack: Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net [83.50.106.104] with: command=HELO/EHLO, count=3: 1 Time(s)
My understanding is that this is indicative of a (almost certainly malicious) SMTP client trying different HELO or EHLO identities within the same session. Sendmail is hard-coded to reject the connection after three HELO/EHLO commands.
So you've got a dynamic address (83.50.106.104) trying to identify itself as three different hostnames -- and finally Sendmail gets angry and slams the door.
If you've configured a blacklist service like spamhaus, you're likely to see the 'possible SMTP attack' warning shortly after Sendmail has already rejected mail from the remote host, e.g.,
Aug 19 11:45:01 myserv sendmail[16804]: ruleset=check_relay, arg1=ill90.internetdsl.tpnet.pl, arg2=127.0.0.4, relay=ill90.internetdsl.tpnet.pl [79.190.37.90], reject=550 5.7.1 mail rejected - see http://www.spamhaus.org/
Aug 19 11:45:02 myserv sendmail[16804]: q7JIj1pM016804: ill90.internetdsl.tpnet.pl [79.190.37.90]: possible SMTP attack: command=HELO/EHLO, count=3