Security Incidents mailing list archives
Re: HELO/EHLP attack?.
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 4 Aug 2000 13:30:07 -0400
Jul 31 19:49:46 mail sendmail[5153]: NOQUEUE: [64.41.151.78]: HELO/EHLO attack? This is a remote attack, I guess? (but I'd like to be sure, please). From the Sendmail 8.8.5 release notes (Oct 97):
Slow down when too many "light weight" commands have been issued;
this helps prevent a class of denial-of-service attacks.
The current values and defaults are:
MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR
MAXHELOCOMMANDS 3 HELO, EHLO
MAXVRFYCOMMANDS 6 VRFY, EXPN
MAXETRNCOMMANDS 8 ETRN
These will probably be configurable in a future release.
Most likely, some body trying to forge mail by telnet-ing to port
25 and having trouble getting the HELO right. The original attack
was that you could drive up the load average at the remote end
by doing a 'yes EHLO | netcat victim 25'.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
Current thread:
- HELO/EHLP attack?. Lic. Rodolfo Gonzalez Gonzalez (Aug 03)
- Re: HELO/EHLP attack?. Ryan Yagatich (Aug 04)
- Re: HELO/EHLP attack?. Valdis Kletnieks (Aug 07)
- Re: HELO/EHLP attack?. Michal Zalewski (Aug 07)
- dos from .kr, plus some classic .kr irresponsibility Jason Storm (Aug 07)
- Re: dos from .kr, plus some classic .kr irresponsibility Russell Fulton (Aug 08)
- Re: dos from .kr, plus some classic .kr irresponsibility Maddy (Aug 09)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 09)
- Re: dos from .kr, plus some classic .kr irresponsibility Jose Nazario (Aug 10)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
- Re: HELO/EHLP attack?. Ryan Yagatich (Aug 04)
- <Possible follow-ups>
- Re: HELO/EHLP attack?. Michal 'CeFeK' Nazarewicz (Aug 08)