[Mimedefang] "Possible SMTP attack: command=HELO/EHLO, count=3"
Mike Grau
m.grau at kcc.state.ks.us
Thu Oct 26 14:44:38 EDT 2006
On 10/26/2006 12:39 PM the voices made Cormack, Ken write:
> Has anyone else been seeing a ton of sendmail "possible SMTP attack:
> command=HELO/EHLO, count=3" log entries lately? From what I've been able to
> google, it looks like there's a poorly-written spam-bot out there. Among my
> other rules, I use GeoIP, which is blocking the lion's share of these from
> within sub filter_sender, based on the country of origin of the connection.
> But I'm curious, how has anyone else been dealing with these? I've logged
> over 44000 of these hits, in the past week.
>
> Ken
Yes, I've been getting a boatload since Oct 14 and this used to be rare.
Most of the messages seem to come from ISPs in Israel and the Czech
Republic, but they come from all over. I was dropping the connections
with iptables as the connection arrived, but it made no appreciable
difference in the number of connection attempts like this. There seemed
to be an inexhaustible supply of IPs.
-- Mike G.
More information about the MIMEDefang
mailing list