On 10/26/2006 12:39 PM the voices made Cormack, Ken write: > Has anyone else been seeing a ton of sendmail "possible SMTP attack: > command=HELO/EHLO, count=3" log entries lately? From what I've been able to > google, it looks like there's a poorly-written spam-bot out there. Among my > other rules, I use GeoIP, which is blocking the lion's share of these from > within sub filter_sender, based on the country of origin of the connection. > But I'm curious, how has anyone else been dealing with these? I've logged > over 44000 of these hits, in the past week. > > Ken
Yes, I've been getting a boatload since Oct 14 and this used to be rare. Most of the messages seem to come from ISPs in Israel and the Czech Republic, but they come from all over. I was dropping the connections with iptables as the connection arrived, but it made no appreciable difference in the number of connection attempts like this. There seemed to be an inexhaustible supply of IPs. -- Mike G. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
