Sendmail DOS ?

From: Fragga (fraggaat_private)
Date: Wed Mar 27 2002 - 02:30:37 PST

Next message: Ken Lyon: "Re: Sendmail DOS ?"

Previous message: Basil Hussain: "Excess SMTP traffic to non-mail host"
Next in thread: Ken Lyon: "Re: Sendmail DOS ?"
Reply: Ken Lyon: "Re: Sendmail DOS ?"
Reply: Micheal Patterson: "Re: Sendmail DOS ?"
Reply: Steve Halligan: "RE: Sendmail DOS ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

i just wondered if anyone can help me out with a possible incident / DOS.
for the past 10 hours or so i have been getting sendmail log entries like.
....
Mar 27 06:30:19 hostname sendmail[690]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:31:29 hostname sendmail[752]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:32:39 hostname sendmail[792]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:33:49 hostname sendmail[834]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:34:59 hostname sendmail[896]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
.... continuous ......

they are happening every 1 min and 10 seconds roughly and as i said been
going on for about 10-12 hours. all from the same host...
Ive sniffed the traffic and captured the whole session. its quite short and
i have recreated it from another machine below ....

-- Start Session --
Connected to *.*.*.*.
Escape character is '^]'.
220 hostname.net ESMTP Sendmail 8.10.2/8.10.2; Wed, 27 Mar 2002 09:02:13 GMT
EHLO michael
250-hostname.net Hello **.*****.com [*.*.*.*], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE 2097152
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH PLAIN
250 HELP

500 5.5.1 Command unrecognized: ""
AUTH PLAIN
334 =
AHZpYXVrAA==
500 5.7.0 authentication failed
QUIT
221 2.0.0 hostname.net closing connection
-- End Session --

I dont understand what this persons trying to do as its using the same
password each time and using
this same michael hostname. so it appears not to be a Bruteforce.

Is this just a small pointless automated DOS or coudl it be something more
worrying ? could anyone shed
any light on this or offer any advice. I know i coudl just add to hosts.deny
but im just trying to
figure out why its going on and prevent it happening again. any suggestions
/ linkage would be great.

many thanks.

fragga

ps i made a post on here before but it got returned ... dunno why :(





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ken Lyon: "Re: Sendmail DOS ?"
Previous message: Basil Hussain: "Excess SMTP traffic to non-mail host"
Next in thread: Ken Lyon: "Re: Sendmail DOS ?"
Reply: Ken Lyon: "Re: Sendmail DOS ?"
Reply: Micheal Patterson: "Re: Sendmail DOS ?"
Reply: Steve Halligan: "RE: Sendmail DOS ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 08:50:37 PST