Article 7648 at 06/10/20 20:43:40 From: lesmith (at mark) ecsis.net Subject: [coba-e:07648] Re: Possible attack

Index: [Article Count Order] [Thread]
Date:  Fri, 20 Oct 2006 06:43:30 -0500
From:  Larry Smith <lesmith (at mark) ecsis.net>
Subject:  [coba-e:07648] Re: Possible attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200610200643.30280.lesmith (at mark) ecsis.net>
In-Reply-To:  <01e501c6f2e4$ff209af0$3701a8c0@lapxp>
References:  <01e501c6f2e4$ff209af0$3701a8c0@lapxp>
X-Mail-Count: 07648

On Wednesday 18 October 2006 13:41, Arthur Sherman wrote:
> Thanks, Dan!
> Best,
> --
> Arthur Sherman
> +972-52-4878851
> CPTeam
> > -----Original Message-----
> > From: Dogsbody [mailto:dan (at mark) dogsbody.org]
> > Sent: Wednesday, October 18, 2006 8:01 PM
> > To: coba-e (at mark) bluequartz.org
> > Subject: [coba-e:07608] Re: Possible attack
> >
> > > In latest LogWatch there are these entries:
> > > WARNING!!!!
> > > Possible Attack:
> > >    Attempt from 84.94.32.194.cable.012.net.il [84.94.32.194] with:
> > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > >    Attempt from 89.0.227.64.dynamic.barak-online.net
> >
> > [89.0.227.64] with:
> > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > >    Attempt from 89.1.83.114.dynamic.barak-online.net
> >
> > [89.1.83.114] with:
> > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > >    Attempt from DSL217-132-11-39.bb.netvision.net.il
> >
> > [217.132.11.39] with:
> > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > >    Attempt from bzq-88-152-109-158.red.bezeqint.net
> >
> > [88.152.109.158] with:
> > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > >    Attempt from bzq-88-154-241-88.red.bezeqint.net
> >
> > [88.154.241.88] with:
> > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > >
> > > How could I block them automatically, i.e. could I
> >
> > configure sendmail to
> >
> > > ignore them?
> >
> > I have seen lots of these attacks on my servers too over the
> > last week, there
> > must be a new attack vector that is being tried.  As far as I
> > can tell the
> > servers (even the old Qubes and Raqs) are fending them off
> > fine and the message
> > is just for information.
> >
> > Dan

Ok, decided to do some research on this one (since I started seeing them also) 
and have found what is causing it...  Apparently one or more spammers out 
there are using "broken" software that is using a "helo" string that starts 
with the "pipe" (|) (upright-bar) character.  
As in helo=<|http://?mail.oldartero.com?8888/cgi-bin/put>
It does not appear to be so much a "hack" attempt as it is an attempt to put 
URL's in your error logs so that if you parse them with software you will get 
lots of hits to their site.....
Sooo, from this perspective, the server(s) are doing "good" and are catching 
them...

-- 
Larry Smith
SysAd ECSIS.NET
sysad (at mark) ecsis.net