Security Incidents mailing list archives

Sendmail DOS ?

From: "Fragga" <fragga () fragga co uk>
Date: Wed, 27 Mar 2002 04:30:37 -0600

Greetings,

i just wondered if anyone can help me out with a possible incident / DOS.
for the past 10 hours or so i have been getting sendmail log entries like.
....
Mar 27 06:30:19 hostname sendmail[690]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:31:29 hostname sendmail[752]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:32:39 hostname sendmail[792]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:33:49 hostname sendmail[834]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:34:59 hostname sendmail[896]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
.... continuous ......

they are happening every 1 min and 10 seconds roughly and as i said been
going on for about 10-12 hours. all from the same host...
Ive sniffed the traffic and captured the whole session. its quite short and
i have recreated it from another machine below ....

-- Start Session --
Connected to *.*.*.*.
Escape character is '^]'.
220 hostname.net ESMTP Sendmail 8.10.2/8.10.2; Wed, 27 Mar 2002 09:02:13 GMT
EHLO michael
250-hostname.net Hello **.*****.com [*.*.*.*], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE 2097152
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH PLAIN
250 HELP

500 5.5.1 Command unrecognized: ""
AUTH PLAIN
334 =
AHZpYXVrAA==
500 5.7.0 authentication failed
QUIT
221 2.0.0 hostname.net closing connection
-- End Session --

I dont understand what this persons trying to do as its using the same
password each time and using
this same michael hostname. so it appears not to be a Bruteforce.

Is this just a small pointless automated DOS or coudl it be something more
worrying ? could anyone shed
any light on this or offer any advice. I know i coudl just add to hosts.deny
but im just trying to
figure out why its going on and prevent it happening again. any suggestions
/ linkage would be great.

many thanks.

fragga

ps i made a post on here before but it got returned ... dunno why :(





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Sendmail DOS ? Fragga (Mar 27)
- Re: Sendmail DOS ? Ken Lyon (Mar 27)
- Re: Sendmail DOS ? Micheal Patterson (Mar 27)
- <Possible follow-ups>
- RE: Sendmail DOS ? Steve Halligan (Mar 27)
  - RE: Sendmail DOS ? Hugo van der Kooij (Mar 27)