The notice "MAIL/EXPN/VRFY/ETRN during connection to MTA" usually indicates a dead connection. Meaning that they connected to your smtp port and just quiting out. You can duplicate this message yourself just by telneting to your smtp server and typing quit after it sends it's connection notice. This doesn't mean that they're not sending anything to the smtp server, just that it doesn't recognize what they've sent as a valid command at that point in the process. -- Micheal Patterson Network Administration Cancer Care Network 405-733-2230 ----- Original Message ----- From: "Fragga" <fraggaat_private> To: <incidentsat_private> Sent: Wednesday, March 27, 2002 4:30 AM Subject: Sendmail DOS ? > Greetings, > > i just wondered if anyone can help me out with a possible incident / DOS. > for the past 10 hours or so i have been getting sendmail log entries like. > .... > Mar 27 06:30:19 hostname sendmail[690]: NOQUEUE: > host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > Mar 27 06:31:29 hostname sendmail[752]: NOQUEUE: > host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > Mar 27 06:32:39 hostname sendmail[792]: NOQUEUE: > host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > Mar 27 06:33:49 hostname sendmail[834]: NOQUEUE: > host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > Mar 27 06:34:59 hostname sendmail[896]: NOQUEUE: > host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue > MAIL/EXPN/VRFY/ETRN during connection to MTA > .... continuous ...... > > they are happening every 1 min and 10 seconds roughly and as i said been > going on for about 10-12 hours. all from the same host... > Ive sniffed the traffic and captured the whole session. its quite short and > i have recreated it from another machine below .... > > -- Start Session -- > Connected to *.*.*.*. > Escape character is '^]'. > 220 hostname.net ESMTP Sendmail 8.10.2/8.10.2; Wed, 27 Mar 2002 09:02:13 GMT > EHLO michael > 250-hostname.net Hello **.*****.com [*.*.*.*], pleased to meet you > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250-SIZE 2097152 > 250-DSN > 250-ONEX > 250-ETRN > 250-XUSR > 250-AUTH PLAIN > 250 HELP > > 500 5.5.1 Command unrecognized: "" > AUTH PLAIN > 334 = > AHZpYXVrAA== > 500 5.7.0 authentication failed > QUIT > 221 2.0.0 hostname.net closing connection > -- End Session -- > > I dont understand what this persons trying to do as its using the same > password each time and using > this same michael hostname. so it appears not to be a Bruteforce. > > Is this just a small pointless automated DOS or coudl it be something more > worrying ? could anyone shed > any light on this or offer any advice. I know i coudl just add to hosts.deny > but im just trying to > figure out why its going on and prevent it happening again. any suggestions > / linkage would be great. > > many thanks. > > fragga > > ps i made a post on here before but it got returned ... dunno why :( > > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 10:58:12 PST