Log report is reporting a lot of these lately.. following is just a
short snippet from the beginning on one server.
WARNING!!!!
Possible Attack:
Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with:
command=HELO/EHLO, count=3 : 1 Time(s)
Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144]
with:
command=HELO/EHLO, count=3 : 1 Time(s)
Could anyone expand on what these folks are actually doing? And if I
should be concerned?
This is happening on both my CentOS 3 and 4 systems, all running Sendmail.
Thanks,
John Hinton
John Hinton wrote:> Log report is reporting a lot of these lately.. following is just a > short snippet from the beginning on one server. > > WARNING!!!! > Possible Attack: > Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] > with: > command=HELO/EHLO, count=3 : 1 Time(s) > > Could anyone expand on what these folks are actually doing? And if I > should be concerned? >To me it looks like something/someone looking for valid email addresses - perhaps to use in an effort to defeat spam filters. It'd be interesting to see what sort of conversation takes place between your server and the attacker, and how close together time wise these are occuring. I notice the first 5 warnings are from the Czech Republic, and the last one is from Spain. Are you getting these from world wide addresses or just these two countries?
On Fri, 2006-11-10 at 09:45 -0500, John Hinton wrote:> Log report is reporting a lot of these lately.. following is just a > short snippet from the beginning on one server. > > WARNING!!!! > Possible Attack: > Attempt from 104.29.broadband2.iol.cz [83.208.29.104] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 106.7.broadband7.iol.cz [88.102.7.106] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 106.74.broadband5.iol.cz [88.100.74.106] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 126.239.broadband7.iol.cz [88.102.239.126] with: > command=HELO/EHLO, count=3 : 1 Time(s) > Attempt from 144.Red-80-34-151.staticIP.rima-tde.net [80.34.151.144] > with: > command=HELO/EHLO, count=3 : 1 Time(s) > > Could anyone expand on what these folks are actually doing? And if I > should be concerned? > > This is happening on both my CentOS 3 and 4 systems, all running Sendmail.Not sure but I do know that hosts on the rima-tde.net network always try to send me tons of spam and rima-tde.net does not act upon any spam report. My logs show that rima-tde.net and tpnet.pl score top place when it comes to spam attempts from European hosts. Haven't seen iol.cz in my logs but I will keep an eye on them too. Regards, Patrick
Seemingly Similar Threads
- Problems pinging PC on tunnel
- Sendmail log entries
- Newbie Question: Building an Asterisk system to replace an old PBX but using existing phone
- Newbie Question: Building an Asterisk systemto replace an old PBX but using existing phone
- Q's about switching from sendmail to postfix