Date:  Wed, 18 Oct 2006 19:01:25 +0100
From:  Dogsbody <dan (at mark) dogsbody.org>
Subject:  [coba-e:07608] Re: Possible attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <45366BF5.8010709 (at mark) dogsbody.org>
In-Reply-To:  <012d01c6f230$66625470$3701a8c0@lapxp>
References:  <012d01c6f230$66625470$3701a8c0@lapxp>
X-Mail-Count: 07608


> In latest LogWatch there are these entries:
> WARNING!!!!
> Possible Attack:
>    Attempt from 84.94.32.194.cable.012.net.il [84.94.32.194] with:
>       command=HELO/EHLO, count=3 : 1 Time(s)
>    Attempt from 89.0.227.64.dynamic.barak-online.net [89.0.227.64] with:
>       command=HELO/EHLO, count=3 : 1 Time(s)
>    Attempt from 89.1.83.114.dynamic.barak-online.net [89.1.83.114] with:
>       command=HELO/EHLO, count=3 : 1 Time(s)
>    Attempt from DSL217-132-11-39.bb.netvision.net.il [217.132.11.39] with:
>       command=HELO/EHLO, count=3 : 1 Time(s)
>    Attempt from bzq-88-152-109-158.red.bezeqint.net [88.152.109.158] with:
>       command=HELO/EHLO, count=3 : 1 Time(s)
>    Attempt from bzq-88-154-241-88.red.bezeqint.net [88.154.241.88] with:
>       command=HELO/EHLO, count=3 : 1 Time(s)
> 
> How could I block them automatically, i.e. could I configure sendmail to
> ignore them?

I have seen lots of these attacks on my servers too over the last week, there 
must be a new attack vector that is being tried.  As far as I can tell the 
servers (even the old Qubes and Raqs) are fending them off fine and the message 
is just for information.

Dan