Hello dear List Members. One of our SuSE 8.0 boxes which is a sendmail mailserver got those lines in /var/log/mail:
Jun 2 01:26:12 suse80box sendmail[18268]: h51LQCu5018268: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:13 suse80box sendmail[18270]: h51LQDu5018270: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:14 suse80box sendmail[18272]: h51LQEu5018272: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:18 suse80box sendmail[18274]: h51LQFu5018274: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:20 suse80box sendmail[18276]: h51LQJu5018276: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:21 suse80box sendmail[18278]: h51LQKu5018278: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:22 suse80box sendmail[18280]: h51LQMu5018280: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:23 suse80box sendmail[18282]: h51LQNu5018282: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:24 suse80box sendmail[18284]: h51LQOu5018284: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:28 suse80box sendmail[18286]: h51LQSu5018286: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:29 suse80box sendmail[18288]: h51LQTu5018288: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:30 suse80box sendmail[18290]: h51LQUu5018290: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Jun 2 01:26:31 suse80box sendmail[18292]: h51LQVu5018292: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
I've googled for those and found some situations involving port scans etc. But here we get the messages every second so this should be a DoS attempt. Am I right? What is the medicine? -- Best regards, Boris Kimel mailto:bobk@ioc.ac.ru
* Boris Kimel (IOC) (bobk@ioc.ac.ru) [030602 10:14]:
I've googled for those and found some situations involving port scans etc. But here we get the messages every second so this should be a DoS attempt. Am I right? What is the medicine?
Possibly just a spammer trying to get usernames. Just block the ip with iptables or tcpwrappers. -- -ckm
* Boris Kimel (IOC) (bobk@ioc.ac.ru) [030602 10:14]:
I've googled for those and found some situations involving port scans etc. But here we get the messages every second so this should be a DoS attempt. Am I right? What is the medicine?
Possibly just a spammer trying to get usernames. Just block the ip with iptables or tcpwrappers.
-ckm
If the spammer has dial-up or dsl-connection he/she may possibly have another ip next time, instead block the fdqn of the smtp, if he has one (if he/she has dyn-dns). This can be done in /etc/hosts.deny! Anyway, why does everybody run sendmail instead of postfix (8.x comes with postfix as default MTA)? Within postfix you can set a maximum of messages per IP within a defined timetable. Postfix has got more effective ways to get rid of spam, abuse, hackattempts and runs chrooted as well (I didn't find anything like that in sendmail). Not to mention the fine routing functions, smarthost, amavis-integration, virtual maps (forwarding stuff) and further on ... Philippe P.S.: I run qmail or postfix on my/our servers (it's not a question of faith but of security).
Hello Philippe, Monday, June 2, 2003, 11:39:12 PM, you wrote: PV> Anyway, why does everybody run sendmail instead of postfix (8.x comes with PV> postfix as default MTA)? PV> Within postfix you can set a maximum of messages per IP within a defined PV> timetable. PV> Postfix has got more effective ways to get rid of spam, abuse, hackattempts PV> and runs chrooted as well (I didn't find anything like that in sendmail). PV> Not to mention the fine routing functions, smarthost, amavis-integration, PV> virtual maps (forwarding stuff) and further on ... AFAIK 8.0 had sendmail as default MTA. Anyway, we've been moving from RH those times. Will be moving to SuSE 8.2 and Postfix as soon as I get some time. Just in case. Thanks. -- Best regards, Boris mailto:bobk@ioc.ac.ru
participants (3)
-
Boris Kimel (IOC)
-
Christopher Mahmood
-
Philippe Vogel