[BlueOnyx:02097] Re: did someone get access to server?

Doug Harvey dwh1958 at gmail.com
Thu Aug 13 10:17:13 -05 2009 

Just my 2 cents. IP 118.169.207.30 is in my firewall as drop.

That address as well and many others in the neighborhood will consistently
hammer your server with relay/ftp request.

Doug

 

-----Original Message-----
From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of Michael Stauber
Sent: Thursday, August 13, 2009 8:06 AM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:02095] Re: did someone get access to server?

Hi T. K.,

> Looking a my logs this morning and looks like someone was trying to 
> send a message or some thing.  What do you think?

Nope. It's fine.

1st line:

Aug 13 10:25:30 www sendmail[32614]: n7DEPT5r032614: ruleset=check_rcpt,
arg1=, relay=118-169-207-30.dynamic.hinet.net [118.169.207.30], reject=550
5.7.1 ... Relaying denied. Proper authentication required.

Someone from 118.169.207.30 tried to use your Sendmail (from the outside) to
relay a message to an email account not on your box.

As it should be they got told: "Relaying denied. Proper authentication
required." and the message was not accepted.

2nd line:

Aug 13 10:25:31 www sendmail[32614]: n7DEPT5r032614: lost input channel from
118-169-207-30.dynamic.hinet.net [118.169.207.30] to MTA after rcpt

Connection to/from them was closed.

3rd line:

Aug 13 10:25:31 www sendmail[32614]: n7DEPT5r032614: from=, size=0, class=0,
nrcpts=0, proto=SMTP, daemon=MTA, relay=118-169-207-30.dynamic.hinet.net
[118.169.207.30]

They then probed your Sendmail to check if certain accounts exist on your
box. 
The part "size=0, class=0, nrcpts=0" tells us this. 

That's a *very* common thing and you see that a lot. It's a mechanism that
even some legit people use to verify if an email address exists before they
actually try to deliver it to the address in question. It creates less
traffic than sending and actual email and getting it bounced because the
recipient doesn't exist.

But it's a fishy practice which spammer use a lot. They probe Sendmail for
existing system accounts and then send one SPAM which has all guessed
accountnames as BCC receivers.

It's of no concern security wise as they don't actually try to guess
passwords. No, they "just" check if this or that email address is valid. I
find it anoying, but blocking such probes would also stop quite a chunk of
legit emails. 

--
With best regards

Michael Stauber

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list