Article 7651 at 06/10/20 22:23:43 From: arturs (at mark) netvision.net.il Subject: [coba-e:07651] Re: Possible attack

Index: [Article Count Order] [Thread]
Date:  Fri, 20 Oct 2006 15:21:32 +0200
From:  Arthur Sherman <arturs (at mark) netvision.net.il>
Subject:  [coba-e:07651] Re: Possible attack
To:  coba-e (at mark) bluequartz.org
Message-Id:  <011701c6f44a$a8ff78f0$3701a8c0@lapxp>
In-Reply-To:  <200610200643.30280.lesmith (at mark) ecsis.net>
X-Mail-Count: 07651

> > > > In latest LogWatch there are these entries:
> > > > WARNING!!!!
> > > > Possible Attack:
> > > >    Attempt from 84.94.32.194.cable.012.net.il 
> [84.94.32.194] with:
> > > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > > >    Attempt from 89.0.227.64.dynamic.barak-online.net
> > >
> > > [89.0.227.64] with:
> > > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > > >    Attempt from 89.1.83.114.dynamic.barak-online.net
> > >
> > > [89.1.83.114] with:
> > > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > > >    Attempt from DSL217-132-11-39.bb.netvision.net.il
> > >
> > > [217.132.11.39] with:
> > > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > > >    Attempt from bzq-88-152-109-158.red.bezeqint.net
> > >
> > > [88.152.109.158] with:
> > > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > > >    Attempt from bzq-88-154-241-88.red.bezeqint.net
> > >
> > > [88.154.241.88] with:
> > > >       command=HELO/EHLO, count=3 : 1 Time(s)
> > > >
> > > > How could I block them automatically, i.e. could I
> > >
> > > configure sendmail to
> > >
> > > > ignore them?
> > >
> > > I have seen lots of these attacks on my servers too over the
> > > last week, there
> > > must be a new attack vector that is being tried.  As far as I
> > > can tell the
> > > servers (even the old Qubes and Raqs) are fending them off
> > > fine and the message
> > > is just for information.
> > >
> > > Dan
> 
> Ok, decided to do some research on this one (since I started 
> seeing them also) 
> and have found what is causing it...  Apparently one or more 
> spammers out 
> there are using "broken" software that is using a "helo" 
> string that starts 
> with the "pipe" (|) (upright-bar) character.  
> As in helo=<|http://?mail.oldartero.com?8888/cgi-bin/put>
> It does not appear to be so much a "hack" attempt as it is an 
> attempt to put 
> URL's in your error logs so that if you parse them with 
> software you will get 
> lots of hits to their site.....
> Sooo, from this perspective, the server(s) are doing "good" 
> and are catching 
> them...
> 
> -- 
> Larry Smith
> SysAd ECSIS.NET
> sysad (at mark) ecsis.net


This is good news!

Thanks, Larry.


Best,

--
Arthur Sherman

+972-52-4878851
CPTeam