David Ellsmore wrote: > John Hinton wrote: >> Log report is reporting a lot of these lately.. following is just a >> short snippet from the beginning on one server. >> >> WARNING!!!! >> Possible Attack: >> Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: >> command=HELO/EHLO, count=3 : 1 Time(s) >> Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: >> command=HELO/EHLO, count=3 : 1 Time(s) >> Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: >> command=HELO/EHLO, count=3 : 1 Time(s) >> Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: >> command=HELO/EHLO, count=3 : 1 Time(s) >> Attempt from 144.Red-80-34-151.staticIP.rima-tde.net >> [80.34.151.144] with: >> command=HELO/EHLO, count=3 : 1 Time(s) >> >> Could anyone expand on what these folks are actually doing? And if I >> should be concerned? >> > To me it looks like something/someone looking for valid email > addresses - perhaps to use in an effort to defeat spam filters. It'd > be interesting to see what sort of conversation takes place between > your server and the attacker, and how close together time wise these > are occuring. > > I notice the first 5 warnings are from the Czech Republic, and the > last one is from Spain. Are you getting these from world wide > addresses or just these two countries? I just snipped out the first five so as not to clog the list. They are mostly coming from the baltic region of the world (what the heck country is a .il tld?)... a lot from that one. But also a fair representation from the largest spamming network in the world.. verizon who doesn't care one bit. Almost in every case, they are making three attempts.. but I have sendmail set to pause receiving from a network after 2 bad attempts, so maybe this would be worse without that entry? I don't really know the flow of attempts like this on my system. define(`confBAD_RCPT_THROTTLE', `2')dnl Best, John Hinton