[cobalt-security] Weird sendmail occurence -- please advise

[DNSAdmin]

Hello All,

I just saw a strange attack on my Cobalts that serve mail.

I have two T-1 networks that were involved with this message. In order to protect the inocent, hypothetically lets saw network A has a valid Internet IP range of 10.1.1.0/24 and another disjoint network B of 192.168.5.0/24.

I have a firewall on 192.168.5.0/24 at blinky.mydomain.com [192.168.5.5]
I have a mail server on 10.1.1.0/24 at mail.mydomain.com

Here is what I got from LogSentry the last hour:

Subject: mail.mydomain.com 01/31/03:12.00 ACTIVE SYSTEM ATTACK!


Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com [192.168.5.5]: EXPN root [rejected]
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com [192.168.5.5]: VRFY root [rejected]
Security Violations
=-=-=-=-=-=-=-=-=-=
Jan 31 11:00:02 mail imapd[11134]: Login failure user=Active_Monitor_69 host=localhost [127.0.0.1]
Jan 31 11:05:27 mail in.qpopper[11478]: EOF from at 192.168.5.5 (blinky.mydomain.com): [0] 29 (Illegal seek); 0 (Success)
Jan 31 11:05:27 mail in.qpopper[11478]: (null) at blinky.mydomain.com (192.168.5.5): -ERR POP EOF or I/O Error: 29 (Illegal seek); 0 (Success)
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com [192.168.5.5]: EXPN root [rejected]
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com [192.168.5.5]: VRFY root [rejected]
Jan 31 11:06:38 mail sendmail[11532]: LAA11532: ruleset=check_mail, arg1=blade@lans, relay=blinky.mydomain.com [192.168.5.5], reject=501 [EMAIL PROTECTED] Sender domain must exist

Can anyone explain what happened here? It looks like I'm getting hacked from my firewall!? Is there something I am not understanding here?

Thanks,
Glenn

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security