[Mimedefang] "Possible SMTP attack: command=HELO/EHLO, count=3"
Joseph Brennan
brennan at columbia.edu
Thu Oct 26 14:42:23 EDT 2006
--On Thursday, October 26, 2006 13:39 -0400 "Cormack, Ken"
<ken.cormack at roadway.com> wrote:
> Has anyone else been seeing a ton of sendmail "possible SMTP attack:
> command=HELO/EHLO, count=3" log entries lately? From what I've been able
> to google, it looks like there's a poorly-written spam-bot out there.
> Among my other rules, I use GeoIP, which is blocking the lion's share of
> these from within sub filter_sender, based on the country of origin of
> the connection. But I'm curious, how has anyone else been dealing with
> these? I've logged over 44000 of these hits, in the past week.
Lots of them here too, about the same number per day.
What does that mean, anyway? Three HELO or EHLO commands? It would
be nice to target it.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
More information about the MIMEDefang
mailing list