OT: sendmail: possible SMTP attack??
Kevin Miller
Kevin_Miller at ci.juneau.ak.us
Mon Oct 16 17:15:44 IST 2006
Matt Kettler wrote:
> Jeff A. Earickson wrote:
>> Gang,
>>
>> I've been seeing a ton of "possible SMTP attack" syslog messages
>> from sendmail for the last couple of days, from all over the
>> place (mostly Isreal and Brazil). Normally, I almost never see
>> this message from sendmail. Anybody else seeing this? New
>> email virus??? Any other ideas?
>
> I'm seeing a lot of them too. The failing command is HELO/EHLO. This
> means the sender issued 3 or more HELO/EHLO commands in a single
> conversation with sendmail.
>
> Probably a buggy spam tool or virus. Based on the low distribution of
> hosts
> doing this, I'd guess it's a virus, and that this bug is inhibiting
> its ability to spread.
Yup - three goes per each message. My system tagged it as high scoring
spam on the one I drilled down on so I figured it was just the latest
misconfigured botnet...
...Kevin
--
Kevin Miller Registered Linux User No: 307357
CBJ MIS Dept. Network Systems Admin., Mail Admin.
155 South Seward Street ph: (907) 586-0242
Juneau, Alaska 99801 fax: (907 586-4500
More information about the MailScanner
mailing list