Just my 2 cents. IP 118.169.207.30 is in my firewall as drop. That address as well and many others in the neighborhood will consistently hammer your server with relay/ftp request.
Doug -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Stauber Sent: Thursday, August 13, 2009 8:06 AM To: BlueOnyx General Mailing List Subject: [BlueOnyx:02095] Re: did someone get access to server? Hi T. K., > Looking a my logs this morning and looks like someone was trying to > send a message or some thing. What do you think? Nope. It's fine. 1st line: Aug 13 10:25:30 www sendmail[32614]: n7DEPT5r032614: ruleset=check_rcpt, arg1=, relay=118-169-207-30.dynamic.hinet.net [118.169.207.30], reject=550 5.7.1 ... Relaying denied. Proper authentication required. Someone from 118.169.207.30 tried to use your Sendmail (from the outside) to relay a message to an email account not on your box. As it should be they got told: "Relaying denied. Proper authentication required." and the message was not accepted. 2nd line: Aug 13 10:25:31 www sendmail[32614]: n7DEPT5r032614: lost input channel from 118-169-207-30.dynamic.hinet.net [118.169.207.30] to MTA after rcpt Connection to/from them was closed. 3rd line: Aug 13 10:25:31 www sendmail[32614]: n7DEPT5r032614: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=118-169-207-30.dynamic.hinet.net [118.169.207.30] They then probed your Sendmail to check if certain accounts exist on your box. The part "size=0, class=0, nrcpts=0" tells us this. That's a *very* common thing and you see that a lot. It's a mechanism that even some legit people use to verify if an email address exists before they actually try to deliver it to the address in question. It creates less traffic than sending and actual email and getting it bounced because the recipient doesn't exist. But it's a fishy practice which spammer use a lot. They probe Sendmail for existing system accounts and then send one SPAM which has all guessed accountnames as BCC receivers. It's of no concern security wise as they don't actually try to guess passwords. No, they "just" check if this or that email address is valid. I find it anoying, but blocking such probes would also stop quite a chunk of legit emails. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
