[CentOS] A new attack

Fri Nov 10 15:58:22 UTC 2006
John Hinton <webmaster at ew3d.com>

David Ellsmore wrote:
> John Hinton wrote:
>> Log report is reporting a lot of these lately.. following is just a 
>> short snippet from the beginning on one server.
>>
>> WARNING!!!!
>> Possible Attack:
>>   Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with:
>>      command=HELO/EHLO, count=3 : 1 Time(s)
>>   Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with:
>>      command=HELO/EHLO, count=3 : 1 Time(s)
>>   Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with:
>>      command=HELO/EHLO, count=3 : 1 Time(s)
>>   Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with:
>>      command=HELO/EHLO, count=3 : 1 Time(s)
>>   Attempt from 144.Red-80-34-151.staticIP.rima-tde.net 
>> [80.34.151.144] with:
>>      command=HELO/EHLO, count=3 : 1 Time(s)
>>
>> Could anyone expand on what these folks are actually doing? And if I 
>> should be concerned?
>>
> To me it looks like something/someone looking for valid email 
> addresses - perhaps to use in an effort to defeat spam filters. It'd 
> be interesting to see what sort of conversation takes place between 
> your server and the attacker, and how close together time wise these 
> are occuring.
>
> I notice the first 5 warnings are from the Czech Republic, and the 
> last one is from Spain. Are you getting these from world wide 
> addresses or just these two countries?
I just snipped out the first five so as not to clog the list. They are 
mostly coming from the baltic region of the world (what the heck country 
is a .il tld?)... a lot from that one. But also a fair representation 
from the largest spamming network in the world.. verizon who doesn't 
care one bit.

Almost in every case, they are making three attempts.. but I have 
sendmail set to pause receiving from a network after 2 bad attempts, so 
maybe this would be worse without that entry? I don't really know the 
flow of attempts like this on my system.

define(`confBAD_RCPT_THROTTLE', `2')dnl

Best,
John Hinton