John Hinton wrote: > Log report is reporting a lot of these lately.. following is just a > short snippet from the beginning on one server. > > WARNING!!!! > Possible Attack: > Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] > with: > command=HELO/EHLO, count=3 : 1 Time(s) > > Could anyone expand on what these folks are actually doing? And if I > should be concerned? > To me it looks like something/someone looking for valid email addresses - perhaps to use in an effort to defeat spam filters. It'd be interesting to see what sort of conversation takes place between your server and the attacker, and how close together time wise these are occuring. I notice the first 5 warnings are from the Czech Republic, and the last one is from Spain. Are you getting these from world wide addresses or just these two countries?