You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike Grau <m....@kcc.state.ks.us> on 2006/10/18 21:52:22 UTC

Spam or something else?

Hello.

(sendmail->mimdefang->spamassassin)

Since this past weekend I been seeing in the mail log:

   possible SMTP attack: command=HELO/EHLO, count=3

These used to be very rare, but since Saturday there are a great many
(for us). For the past few hours, I've been firewalling the offending
IPs with iptables as they occur, but so far the supply of IP addresses
seems endless.

The IPs do seem weighted towards a couple of ISPs in Israel though:

  No. of ip addresses:

  KOREA, REPUBLIC OF: 7
  RUSSIAN FEDERATION: 12
  GERMANY: 17
  CHINA: 20
  UNITED STATES: 21
  CZECH REPUBLIC: 47
  ISRAEL: 93

I don't think any of these messages have actually made it as far as
getting to SA, but can someone enlighten me as to what this is?

-- Mike G

Re: Spam or something else?

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Wed, 18 Oct 2006, Mike Grau wrote:

> Hello.
>
> (sendmail->mimdefang->spamassassin)
>
> Since this past weekend I been seeing in the mail log:
>
>    possible SMTP attack: command=HELO/EHLO, count=3
>
> These used to be very rare, but since Saturday there are a great many
> (for us). For the past few hours, I've been firewalling the offending
> IPs with iptables as they occur, but so far the supply of IP addresses
> seems endless.
>
> The IPs do seem weighted towards a couple of ISPs in Israel though:
>
>   No. of ip addresses:
>
>   KOREA, REPUBLIC OF: 7
>   RUSSIAN FEDERATION: 12
>   GERMANY: 17
>   CHINA: 20
>   UNITED STATES: 21
>   CZECH REPUBLIC: 47
>   ISRAEL: 93
>
> I don't think any of these messages have actually made it as far as
> getting to SA, but can someone enlighten me as to what this is?
>
> -- Mike G

Seeing bunches here too from all over the world, looks like some kind
of bot flood. Funny thing, it all seemd to stop cold at 18:00 (CST) today.


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{