I came across a few entries that I haven't ecountered before while looking at my messages.log. Can anyone explain to me what this means?
00:52:48 domain.com [220.127.116.11] (may be forged): QUIT: domain.com [18.104.22.168] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
00:53:02 smtp(pam_unix): check pass; user unknown
00:53:02 smtp(pam_unix): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
There were thousands of these messages. I'm assuming someone is attempting a dictionary attack on the SMTP server; so they can use it to spam I guess. I wasn't worried about it but two unique entries amongst thousands from this domain in mail.log got my interest. They are the entries with sendmail
These are the entries in mail.log:
15:00:46 sendmail: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=domain.com [22.214.171.124] (may be forged)
15:26:37 sendmail: STARTTLS=server, relay=domain.com [126.96.36.199] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
15:26:37 sendmail: from=<>, size=12076, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=domain.com [188.8.131.52] (may be forged)
08:58:30 sendmail: domain.com [184.108.40.206] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
There are thousands of entries (excluding sendmail) and the domain always stays the same, however, the ip address changes as shown above.
What's going on here?