At 02:37 PM 2/24/2002, you wrote: >Hi everybody, > >I'm getting the following report from logcheck from this morning at 4 >up to now being repeated every 2:xx minutes. >Now, please notice the IP number is the local route to get to the >server to check mail (if I block it, 95% of my customers won't be able >to read mail nor see their web sites). >Seems to me like someone is trying to break this user's paswwd. >What do you think ? >How can I correct the "not issue MAIL/EXPN/VRFY/ETRN during connection >to MTA" ? > >Feb 24 12:30:03 www sendmail[31012]: NOQUEUE: localhost [127.0.0.1] did >not issue MAIL/EXPN/VRFY/ETRN during connection to MTA >Feb 24 12:32:58 www in.qpopper[31132]: (v?) POP login by >user "adrianac" at (200.66.165.18) 200.66.165.18 >Feb 24 12:34:01 www in.qpopper[31171]: (v?) POP login by >user "adrianac" at (200.66.165.18) 200.66.165.18 >... and keeps going > >Thanks in advance for your help > >Jorge Ceballos >--
The user adrianac is checking is email every three minutes. You can tell logcheck to not notify fo this user. Easier to do if he always uses the same ip _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
