RE: [cobalt-security] Should I worry

Wed, 12 Dec 2001 08:15:50 -0800 

Hello all,
  
   this looks like someone may have a broken mail server.  It's also
possible, though not probable, that they have been "hacked".  I would
recommend calling their coordinator:

        Jeff Fostek ([EMAIL PROTECTED])
        or by phone at 757-490-7300 (US Number)

This information is publicly available through the whois service.  You
might want to include an e-mail to the coordinator with a sample of the
logs.

   Hope this helps, 
   Mark.

P.S. The other message on this thread was an active monitor status
checking mechanism on the Qube/Raq.  It checks the status of various
applications every 15 minutes and alerts the admin if the application is
not on-line.


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Michael
Stauber
Sent: Wednesday, December 12, 2001 9:54 AM
To: [EMAIL PROTECTED]
Subject: Re: [cobalt-security] Should I worry


Hi Audric,

> During the last few days I got hundreds of these:
> 
> Dec 12 09:04:08 qube3 sendmail[20950]: NOQUEUE: mrh.rcmail.com 
> [216.54.1.19] did not issue MAIL/EXPN/VRFY/ETRN during connection to 
> MTA
> 
> should I worry.

Jepp. Could be that someone connected manually to your sendmail port and
is/was trying to trick it into doing bad stuff. 

You can test it out by using "telnet <your.ip.address> 25". Sendmail
will then greet you and expects to talk to a mail programm or other mail
server. You can basically send emails that way by just typing the
commands that Sendmail expects during a normal mail connection, or by
letting a script generate them. 

The error message above (did not issue MAIL/EXPN/VRFY/ETRN) tells us
that the connecting party got past the initial "HELO" greeting, but then
didn't behave as sendmail expected.

> Meanwhile I changed the default rule of my firewall from accept to 
> deny.

Sounds like a good idea. You could of course block this IP-address or
the entire address range of the originating ISP instead.

-- 
With best regards,

Michael Stauber
SOLARSPEED.NET
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to