On Wed, Jun 28, 2006 at 12:06:33PM +1200, Steve Holdoway wrote: > On Tue, 27 Jun 2006 23:00:42 +0100 Jim Cheetham <[EMAIL PROTECTED]> wrote: > > On Wed, Jun 28, 2006 at 07:23:49AM +1200, Steve Holdoway wrote: > > > Jun 28 06:02:18 server sm-mta[7813]: k5RI2I6g007813: > > > 23-52-175-62.user.auna.net [62.175.52.23] (may be forged) did not issue > > > MAIL/EXPN/VRFY/ETRN during connection to MTA > > > > > original log file and confirm that it matches; if it does then you have > > uncovered a class of match that logcheck is overriding - a common place > > for that to occur is in the attack definitions. > > > Hey Jim - how's the windy city???
Today it's foggy :-) There are quite a few interesting user groups up here, not that I have time for them often! > > That was the answer! The keywords VRFY and EXPN were in the file > /etc/logcheck/violations.d/logcheck. You'll probably find SMART in there, > Hads (: It's probably a notifiable security condition if someone connects to your SMTP and tries to VRFY addresses; so don't just remove the condition, but try refining them so they don't trigger when seeing your normal log (i.e. make it alert attacks on "VRFY" but not "/VRFY" with something like [^/]*VRFY and [^/]*ETRN (untested), taking advantage of the fact that your log entry has a leading / in front of those words, but that can't be valid in a real SMTP conversation) -jim
