[Mimedefang] "Possible SMTP attack: command=HELO/EHLO, count=3"
Joseph Brennan
brennan at columbia.edu
Thu Oct 26 15:02:56 EDT 2006
--On Thursday, October 26, 2006 13:39 -0400 "Cormack, Ken"
<ken.cormack at roadway.com> wrote:
> Has anyone else been seeing a ton of sendmail "possible SMTP attack:
> command=HELO/EHLO, count=3" log entries lately? From what I've been able
> to google, it looks like there's a poorly-written spam-bot out there.
> Among my other rules, I use GeoIP, which is blocking the lion's share of
> these from within sub filter_sender, based on the country of origin of
> the connection. But I'm curious, how has anyone else been dealing with
> these? I've logged over 44000 of these hits, in the past week.
So it's from the MAXHELOCOMMANDS compile-time variable, which defaults
to 3. After 3 HELO or EHLO commands, sendmail starts to slow down, and
eventually 421's. I wonder why the value is as high as 3. What would
ever send more than one, besides butterfingered sysadmins on port 25?
What do we get in $Helo? Just the last one, I guess.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
More information about the MIMEDefang
mailing list