[Mimedefang] "Possible SMTP attack: command=HELO/EHLO, count=3"
Kees Theunissen
theuniss at rijnh.nl
Thu Oct 26 16:59:12 EDT 2006
On Thu, 26 Oct 2006, Joseph Brennan wrote:
> Yesterday we had 57,510 of these from 29,312 different IP addresses.
> Therefore they average less than 2 a day per IP.
>
> Many were to invalid addresses, some of them in a format that could
> never have been a valid address in our domain. From a few that were
> to valid addresses, and so had subject logged-- prescription drug spam.
Raise your sendmail loglevel if you want to see those invalid strings.
I have been told that you need a level of 10 for this. I didn't try
it myself.
Below is a quote from a message on the comp.mail.sendmail usenet
group.
Looking at what goes on the wire, I see the host issuing EHLO
and HELO commands with sinlge | as argument, or | followed by
some URL. "EHLO |" or "EHLO |http://some-host/blah/blah".
After it's rejected, it attempts with HELO, and finally does
"EHLO real-host". This is the point where sendmail logs the
warning.
I'm wondering why they're doing this. Is it a bug? Or are they
trying to gain something with this. Is the possible gain high
enough to compenste a possible lower delivery rate?
And why a "|" ?. Are they trying to exploit some bug somewhere in
a prog or script that handles messages or mail logs?
Could those invalid addresses you saw "in a format that could
never have been a valid address" make some sense in a scripting
context?
Regards,
--
Kees Theunissen
F.O.M.-Institute for Plasma Physics Rijnhuizen, Nieuwegein, Netherlands
E-mail: theuniss at rijnh.nl, Tel: (+31|0)306096724, Fax: (+31|0)306031204
More information about the MIMEDefang
mailing list