Strange log entries

Discussion in 'Server Operation' started by DrZaius, Nov 30, 2006.

  1. DrZaius

    DrZaius New Member

    I came across a few entries that I haven't ecountered before while looking at my messages.log. Can anyone explain to me what this means?
    00:52:48 [] (may be forged): QUIT[3116]: [] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    00:53:02 smtp(pam_unix)[3124]: check pass; user unknown
    00:53:02 smtp(pam_unix)[3124]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
    There were thousands of these messages. I'm assuming someone is attempting a dictionary attack on the SMTP server; so they can use it to spam I guess. I wasn't worried about it but two unique entries amongst thousands from this domain in mail.log got my interest. They are the entries with sendmail[9498].

    These are the entries in mail.log:
    15:00:46 sendmail[8655]: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, [] (may be forged)
    15:26:37 sendmail[9498]: STARTTLS=server, [] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
    15:26:37 sendmail[9498]: from=<>, size=12076, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, [] (may be forged)
    08:58:30 sendmail[8220]: [] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
    There are thousands of entries (excluding sendmail[9498]) and the domain always stays the same, however, the ip address changes as shown above.

    What's going on here?
  2. falko

    falko Super Moderator ISPConfig Developer

    Spammers are trying to find out if they can use your server for spamming. If you use SMTP-AUTH and strong passwords, I don't think they will succeed.

Share This Page