#1  
Old 30th November 2006, 22:15
DrZaius DrZaius is offline
Junior Member
 
Join Date: Nov 2006
Posts: 4
Thanks: 1
Thanked 0 Times in 0 Posts
Default Strange log entries

I came across a few entries that I haven't ecountered before while looking at my messages.log. Can anyone explain to me what this means?
Code:
00:52:48 domain.com [64.118.95.188] (may be forged): QUIT[3116]: domain.com [123.123.123.188] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
00:53:02 smtp(pam_unix)[3124]: check pass; user unknown
00:53:02 smtp(pam_unix)[3124]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
There were thousands of these messages. I'm assuming someone is attempting a dictionary attack on the SMTP server; so they can use it to spam I guess. I wasn't worried about it but two unique entries amongst thousands from this domain in mail.log got my interest. They are the entries with sendmail[9498].

These are the entries in mail.log:
Code:
15:00:46 sendmail[8655]: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=domain.com [123.123.123.113] (may be forged)
15:26:37 sendmail[9498]: STARTTLS=server, relay=domain.com [123.123.123.20] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
15:26:37 sendmail[9498]: from=<>, size=12076, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=domain.com [123.123.123.20] (may be forged)
08:58:30 sendmail[8220]: domain.com [64.118.95.188] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
There are thousands of entries (excluding sendmail[9498]) and the domain always stays the same, however, the ip address changes as shown above.

What's going on here?
Reply With Quote
Sponsored Links
  #2  
Old 1st December 2006, 17:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
 
Default

Spammers are trying to find out if they can use your server for spamming. If you use SMTP-AUTH and strong passwords, I don't think they will succeed.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
DrZaius (29th March 2007)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
strange mail log cutting at 16:45 daily, incomplete mail logs st2xo Installation/Configuration 5 21st September 2006 15:43
No log entries milvet Installation/Configuration 10 26th May 2006 03:11
SuseFirewall expert pls help zacch Installation/Configuration 11 17th March 2006 05:24
pop3 login stefanr Installation/Configuration 10 2nd January 2006 11:08
Mail log entries? ctroyp Server Operation 15 4th October 2005 00:12


All times are GMT +2. The time now is 06:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.