[CentOS] A new attack
John Hinton
webmaster at ew3d.com
Fri Nov 10 15:58:22 UTC 2006
David Ellsmore wrote:
> John Hinton wrote:
>> Log report is reporting a lot of these lately.. following is just a
>> short snippet from the beginning on one server.
>>
>> WARNING!!!!
>> Possible Attack:
>> Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with:
>> command=HELO/EHLO, count=3 : 1 Time(s)
>> Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with:
>> command=HELO/EHLO, count=3 : 1 Time(s)
>> Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with:
>> command=HELO/EHLO, count=3 : 1 Time(s)
>> Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with:
>> command=HELO/EHLO, count=3 : 1 Time(s)
>> Attempt from 144.Red-80-34-151.staticIP.rima-tde.net
>> [80.34.151.144] with:
>> command=HELO/EHLO, count=3 : 1 Time(s)
>>
>> Could anyone expand on what these folks are actually doing? And if I
>> should be concerned?
>>
> To me it looks like something/someone looking for valid email
> addresses - perhaps to use in an effort to defeat spam filters. It'd
> be interesting to see what sort of conversation takes place between
> your server and the attacker, and how close together time wise these
> are occuring.
>
> I notice the first 5 warnings are from the Czech Republic, and the
> last one is from Spain. Are you getting these from world wide
> addresses or just these two countries?
I just snipped out the first five so as not to clog the list. They are
mostly coming from the baltic region of the world (what the heck country
is a .il tld?)... a lot from that one. But also a fair representation
from the largest spamming network in the world.. verizon who doesn't
care one bit.
Almost in every case, they are making three attempts.. but I have
sendmail set to pause receiving from a network after 2 bad attempts, so
maybe this would be worse without that entry? I don't really know the
flow of attempts like this on my system.
define(`confBAD_RCPT_THROTTLE', `2')dnl
Best,
John Hinton
More information about the CentOS
mailing list