[CentOS] Sendmail log entries

Thu Sep 20 17:43:01 UTC 2012
Paul Heinlein <heinlein at madboa.com>

On Thu, 20 Sep 2012, James B. Byrne wrote:

> Recently we began seeing lots of these log entries on our off-site 
> mx smtp host.  I have googled this but I am not clear from what I 
> have read if this is something we can stop altogether or should even 
> worry about.
> WARNING!!!!  Possible Attack:
>    Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net
> [] with:
>       command=HELO/EHLO, count=3: 1 Time(s)

My understanding is that this is indicative of a (almost certainly 
malicious) SMTP client trying different HELO or EHLO identities within 
the same session. Sendmail is hard-coded to reject the connection 
after three HELO/EHLO commands.

So you've got a dynamic address ( trying to identify 
itself as three different hostnames -- and finally Sendmail gets angry 
and slams the door.

If you've configured a blacklist service like spamhaus, you're likely 
to see the 'possible SMTP attack' warning shortly after Sendmail has 
already rejected mail from the remote host, e.g.,

   Aug 19 11:45:01 myserv sendmail[16804]: ruleset=check_relay,
   arg1=ill90.internetdsl.tpnet.pl, arg2=,
   relay=ill90.internetdsl.tpnet.pl [], reject=550 5.7.1
   mail rejected - see http://www.spamhaus.org/

   Aug 19 11:45:02 myserv sendmail[16804]: q7JIj1pM016804:
   ill90.internetdsl.tpnet.pl []: possible SMTP attack:
   command=HELO/EHLO, count=3

Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W