[BlueOnyx:02095] Re: did someone get access to server?

Thu Aug 13 10:05:39 -05 2009

Hi T. K.,

> Looking a my logs this morning and looks like someone was trying to send a
> message or some thing.  What do you think?

Nope. It's fine.

1st line:

Aug 13 10:25:30 www sendmail[32614]: n7DEPT5r032614: ruleset=check_rcpt, 
arg1=, relay=118-169-207-30.dynamic.hinet.net [118.169.207.30], reject=550 
5.7.1 ... Relaying denied. Proper authentication required.

Someone from 118.169.207.30 tried to use your Sendmail (from the outside) to 
relay a message to an email account not on your box.

As it should be they got told: "Relaying denied. Proper authentication 
required." and the message was not accepted.

2nd line:

Aug 13 10:25:31 www sendmail[32614]: n7DEPT5r032614: lost input channel from 
118-169-207-30.dynamic.hinet.net [118.169.207.30] to MTA after rcpt

Connection to/from them was closed.

3rd line:

Aug 13 10:25:31 www sendmail[32614]: n7DEPT5r032614: from=, size=0, class=0, 
nrcpts=0, proto=SMTP, daemon=MTA, relay=118-169-207-30.dynamic.hinet.net 
[118.169.207.30]

They then probed your Sendmail to check if certain accounts exist on your box. 
The part "size=0, class=0, nrcpts=0" tells us this. 

That's a *very* common thing and you see that a lot. It's a mechanism that 
even some legit people use to verify if an email address exists before they 
actually try to deliver it to the address in question. It creates less traffic 
than sending and actual email and getting it bounced because the recipient 
doesn't exist.

But it's a fishy practice which spammer use a lot. They probe Sendmail for 
existing system accounts and then send one SPAM which has all guessed 
accountnames as BCC receivers.

It's of no concern security wise as they don't actually try to guess 
passwords. No, they "just" check if this or that email address is valid. I 
find it anoying, but blocking such probes would also stop quite a chunk of 
legit emails. 

-- 
With best regards

Michael Stauber