[CentOS] Sendmail log entries
Paul Heinlein
heinlein at madboa.com
Thu Sep 20 17:43:01 UTC 2012
On Thu, 20 Sep 2012, James B. Byrne wrote:
> Recently we began seeing lots of these log entries on our off-site
> mx smtp host. I have googled this but I am not clear from what I
> have read if this is something we can stop altogether or should even
> worry about.
>
> WARNING!!!! Possible Attack:
> Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net
> [83.50.106.104] with:
> command=HELO/EHLO, count=3: 1 Time(s)
My understanding is that this is indicative of a (almost certainly
malicious) SMTP client trying different HELO or EHLO identities within
the same session. Sendmail is hard-coded to reject the connection
after three HELO/EHLO commands.
So you've got a dynamic address (83.50.106.104) trying to identify
itself as three different hostnames -- and finally Sendmail gets angry
and slams the door.
If you've configured a blacklist service like spamhaus, you're likely
to see the 'possible SMTP attack' warning shortly after Sendmail has
already rejected mail from the remote host, e.g.,
Aug 19 11:45:01 myserv sendmail[16804]: ruleset=check_relay,
arg1=ill90.internetdsl.tpnet.pl, arg2=127.0.0.4,
relay=ill90.internetdsl.tpnet.pl [79.190.37.90], reject=550 5.7.1
mail rejected - see http://www.spamhaus.org/
Aug 19 11:45:02 myserv sendmail[16804]: q7JIj1pM016804:
ill90.internetdsl.tpnet.pl [79.190.37.90]: possible SMTP attack:
command=HELO/EHLO, count=3
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W
More information about the CentOS
mailing list