[Mimedefang] "Possible SMTP attack: command=HELO/EHLO, count=3"

Joseph Brennan brennan at columbia.edu
Thu Oct 26 15:02:56 EDT 2006



--On Thursday, October 26, 2006 13:39 -0400 "Cormack, Ken" 
<ken.cormack at roadway.com> wrote:

> Has anyone else been seeing a ton of sendmail "possible SMTP attack:
> command=HELO/EHLO, count=3" log entries lately?  From what I've been able
> to google, it looks like there's a poorly-written spam-bot out there.
> Among my other rules, I use GeoIP, which is blocking the lion's share of
> these from within sub filter_sender, based on the country of origin of
> the connection. But I'm curious, how has anyone else been dealing with
> these?  I've logged over 44000 of these hits, in the past week.


So it's from the MAXHELOCOMMANDS compile-time variable, which defaults
to 3.  After 3 HELO or EHLO commands, sendmail starts to slow down, and
eventually 421's.  I wonder why the value is as high as 3.  What would
ever send more than one, besides butterfingered sysadmins on port 25?

What do we get in $Helo?  Just the last one, I guess.

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology






More information about the MIMEDefang mailing list