On Thu, 20 Sep 2012, James B. Byrne wrote: > Recently we began seeing lots of these log entries on our off-site > mx smtp host. I have googled this but I am not clear from what I > have read if this is something we can stop altogether or should even > worry about. > > WARNING!!!! Possible Attack: > Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net > [83.50.106.104] with: > command=HELO/EHLO, count=3: 1 Time(s) My understanding is that this is indicative of a (almost certainly malicious) SMTP client trying different HELO or EHLO identities within the same session. Sendmail is hard-coded to reject the connection after three HELO/EHLO commands. So you've got a dynamic address (83.50.106.104) trying to identify itself as three different hostnames -- and finally Sendmail gets angry and slams the door. If you've configured a blacklist service like spamhaus, you're likely to see the 'possible SMTP attack' warning shortly after Sendmail has already rejected mail from the remote host, e.g., Aug 19 11:45:01 myserv sendmail[16804]: ruleset=check_relay, arg1=ill90.internetdsl.tpnet.pl, arg2=127.0.0.4, relay=ill90.internetdsl.tpnet.pl [79.190.37.90], reject=550 5.7.1 mail rejected - see http://www.spamhaus.org/ Aug 19 11:45:02 myserv sendmail[16804]: q7JIj1pM016804: ill90.internetdsl.tpnet.pl [79.190.37.90]: possible SMTP attack: command=HELO/EHLO, count=3 -- Paul Heinlein heinlein at madboa.com 45°38' N, 122°6' W