[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Should I worry - How to block?

-> "Sounds like a good idea. You could of course block this IP-address or
the entire address range of the originating ISP instead."

How would one go about doing this on a Qube 3?

---------------------- Forwarded by John Meyerhofer/Mpc/MetLife/US on
12/12/2001 09:40 AM ---------------------------


"Michael Stauber" <cobalt@xxxxxxxxxxxxxx>@list.cobalt.com on 12/12/2001
08:53:55 AM

Please respond to cobalt-security@xxxxxxxxxxxxxxx

Sent by:  cobalt-security-admin@xxxxxxxxxxxxxxx


To:   cobalt-security@xxxxxxxxxxxxxxx
cc:

Subject:  Re: [cobalt-security] Should I worry


Hi Audric,

> During the last few days I got hundreds of these:
>
> Dec 12 09:04:08 qube3 sendmail[20950]: NOQUEUE: mrh.rcmail.com
[216.54.1.19] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> should I worry.

Jepp. Could be that someone connected manually to your sendmail port and
is/was trying to trick it into doing bad stuff.

You can test it out by using "telnet <your.ip.address> 25". Sendmail will
then greet you and expects to talk to a mail programm or other mail server.
You can basically send emails that way by just typing the commands that
Sendmail expects during a normal mail connection, or by letting a script
generate them.

The error message above (did not issue MAIL/EXPN/VRFY/ETRN) tells us that
the connecting party got past the initial "HELO" greeting, but then didn't
behave as sendmail expected.

> Meanwhile I changed the default rule of my firewall from accept
> to deny.

Sounds like a good idea. You could of course block this IP-address or the
entire address range of the originating ISP instead.

--
With best regards,

Michael Stauber
SOLARSPEED.NET
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security