--On Thursday, October 26, 2006 13:39 -0400 "Cormack, Ken" <[EMAIL PROTECTED]> wrote:
Has anyone else been seeing a ton of sendmail "possible SMTP attack: command=HELO/EHLO, count=3" log entries lately? From what I've been able to google, it looks like there's a poorly-written spam-bot out there. Among my other rules, I use GeoIP, which is blocking the lion's share of these from within sub filter_sender, based on the country of origin of the connection. But I'm curious, how has anyone else been dealing with these? I've logged over 44000 of these hits, in the past week.
So it's from the MAXHELOCOMMANDS compile-time variable, which defaults to 3. After 3 HELO or EHLO commands, sendmail starts to slow down, and eventually 421's. I wonder why the value is as high as 3. What would ever send more than one, besides butterfingered sysadmins on port 25? What do we get in $Helo? Just the last one, I guess. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
