Article 7598 at 06/10/18 06:10:39 From: arturs (at mark) netvision.net.il Subject: [coba-e:07598] Possible attack

Index: [Article Count Order] [Thread]
Date:  Tue, 17 Oct 2006 23:08:31 +0200
From:  Arthur Sherman <arturs (at mark) netvision.net.il>
Subject:  [coba-e:07598] Possible attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <012d01c6f230$66625470$3701a8c0@lapxp>
X-Mail-Count: 07598

Hello,

In latest LogWatch there are these entries:
---
WARNING!!!!
Possible Attack:
   Attempt from 84.94.32.194.cable.012.net.il [84.94.32.194] with:
      command=HELO/EHLO, count=3 : 1 Time(s)
   Attempt from 89.0.227.64.dynamic.barak-online.net [89.0.227.64] with:
      command=HELO/EHLO, count=3 : 1 Time(s)
   Attempt from 89.1.83.114.dynamic.barak-online.net [89.1.83.114] with:
      command=HELO/EHLO, count=3 : 1 Time(s)
   Attempt from DSL217-132-11-39.bb.netvision.net.il [217.132.11.39] with:
      command=HELO/EHLO, count=3 : 1 Time(s)
   Attempt from bzq-88-152-109-158.red.bezeqint.net [88.152.109.158] with:
      command=HELO/EHLO, count=3 : 1 Time(s)
   Attempt from bzq-88-154-241-88.red.bezeqint.net [88.154.241.88] with:
      command=HELO/EHLO, count=3 : 1 Time(s)
---

How could I block them automatically, i.e. could I configure sendmail to
ignore them?

I have this in sendmail.mc:
---
dnl # this is from http://www.technoids.org/dossed.html
dnl # 
FEATURE(`delay_checks',`friend')dnl
define(`confCONNECTION_RATE_THROTTLE', `3')dnl
FEATURE(`ratecontrol', `nodelay',`terminate')dnl
FEATURE(`conncontrol', `nodelay',`terminate')dnl
define(`confMAX_RCPTS_PER_MESSAGE', `25')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`greet_pause', `700')dnl
---

Thanks!



Best,

--
Arthur Sherman

+972-52-4878851
CPTeam