FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-20-2012, 03:07 PM
"James B. Byrne"
 
Default Sendmail log entries

Recently we began seeing lots of these log entries on our off-site mx
smtp host. I have googled this but I am not clear from what I have
read if this is something we can stop altogether or should even worry
about.

Comments?

Logwatch. . .

--------------------- sendmail Begin ------------------------

SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS
------------------------------------------

WARNING!!!! Possible Attack:
Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net
[83.50.106.104] with:
command=HELO/EHLO, count=3: 1 Time(s)


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-20-2012, 03:10 PM
 
Default Sendmail log entries

James B. Byrne wrote:
> Recently we began seeing lots of these log entries on our off-site mx
> smtp host. I have googled this but I am not clear from what I have
> read if this is something we can stop altogether or should even worry
> about.
>
> Comments?
>
I'm not real good with smtp, but it looks as though someone from Spain is
trying to directly connect to your smtp server. Unless you know that
they're legitimately using your system, I'd block that IP now.

fail2ban's your friend....

mark

> Logwatch. . .
>
> --------------------- sendmail Begin ------------------------
>
> SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS
> ------------------------------------------
>
> WARNING!!!! Possible Attack:
> Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net
> [83.50.106.104] with:
> command=HELO/EHLO, count=3: 1 Time(s)
>
>
> --
> *** E-Mail is NOT a SECURE channel ***
> James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-20-2012, 05:43 PM
Paul Heinlein
 
Default Sendmail log entries

On Thu, 20 Sep 2012, James B. Byrne wrote:

Recently we began seeing lots of these log entries on our off-site
mx smtp host. I have googled this but I am not clear from what I
have read if this is something we can stop altogether or should even
worry about.


WARNING!!!! Possible Attack:
Attempt from 104.Red-83-50-106.dynamicIP.rima-tde.net
[83.50.106.104] with:
command=HELO/EHLO, count=3: 1 Time(s)


My understanding is that this is indicative of a (almost certainly
malicious) SMTP client trying different HELO or EHLO identities within
the same session. Sendmail is hard-coded to reject the connection
after three HELO/EHLO commands.


So you've got a dynamic address (83.50.106.104) trying to identify
itself as three different hostnames -- and finally Sendmail gets angry
and slams the door.


If you've configured a blacklist service like spamhaus, you're likely
to see the 'possible SMTP attack' warning shortly after Sendmail has
already rejected mail from the remote host, e.g.,


Aug 19 11:45:01 myserv sendmail[16804]: ruleset=check_relay,
arg1=ill90.internetdsl.tpnet.pl, arg2=127.0.0.4,
relay=ill90.internetdsl.tpnet.pl [79.190.37.90], reject=550 5.7.1
mail rejected - see http://www.spamhaus.org/

Aug 19 11:45:02 myserv sendmail[16804]: q7JIj1pM016804:
ill90.internetdsl.tpnet.pl [79.190.37.90]: possible SMTP attack:
command=HELO/EHLO, count=3

--
Paul Heinlein
heinlein@madboa.com
4538' N, 1226' W_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-20-2012, 07:31 PM
"James B. Byrne"
 
Default Sendmail log entries

On Thu, September 20, 2012 11:10, m.roth@5-cent.us wrote:

> I'm not real good with smtp, but it looks as though someone from
> Spain is trying to directly connect to your smtp server. Unless
> you know that they're legitimately using your system, I'd block
> that IP now.
>

The list of sources is far too long to include in a message to the
list. Suffice to say that each IP address is automatically blocked
for varying lengths of time following any failed attempt. What I am
trying to discover is what in particular, if anything, caused this
traffic to suddenly start hitting our external server and whether or
not we should be concerned about a specific vulnerability.

This host is our last remaining Sendmail server. All the rest have
been switched to Postfix. None of the other MX hosts are reporting
this and so the questions arise: Is this an attack? Is it
specifically directed at the Sendmail server or is it just a
co-incidence?

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-20-2012, 08:12 PM
Les Mikesell
 
Default Sendmail log entries

On Thu, Sep 20, 2012 at 2:31 PM, James B. Byrne <byrnejb@harte-lyne.ca> wrote:
>
>
> The list of sources is far too long to include in a message to the
> list. Suffice to say that each IP address is automatically blocked
> for varying lengths of time following any failed attempt. What I am
> trying to discover is what in particular, if anything, caused this
> traffic to suddenly start hitting our external server and whether or
> not we should be concerned about a specific vulnerability.

Where does it fit with the MX preference number ordering? If it is a
higher value (lower priority) the others should be tried first so
traffic might be an indication that other servers are unreachable or
failing. However, it is a common ploy for spammers to try to send to
the low priority target first on the chance that the spam filtering
isn't as good as on the primary server(s).

--
Les Mikesell
lesmikesell@gmail.com





> This host is our last remaining Sendmail server. All the rest have
> been switched to Postfix. None of the other MX hosts are reporting
> this and so the questions arise: Is this an attack? Is it
> specifically directed at the Sendmail server or is it just a
> co-incidence?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org