On 18-06-11 01:27 PM, Brielle Bruns wrote:
Been seeing an awful lot of these lately on one of my email servers
(exim based):
2018-06-11 14:15:44 no host name found for IP address 157.25.104.90
2018-06-11 14:15:47 rejected HELO from [157.25.104.90]: syntactically
invalid argument(s): *.*
2018-06-11 14:21:42 no host name found for IP address 185.221.172.140
2018-06-11 14:21:43 rejected HELO from [185.221.172.140]: syntactically
invalid argument(s): *.*
Anyone know if this is some sort of exploit or just the sign of a
specific type of spambot?
Looks similar to an implementation similar to the cutwail attacks..
It also could be an ISP, who's DHCP implementation, is telling DHCP
clients that is their hostname.. But that is less likely.. especially
given your example(s).. the second one doesn't look like something
Seems to have dropped off.. (or we caught em all)
Seen that for the last 4 months or so..
Comes from Windows based OS typically, so betting a 'bot' infection..
So far safe to just reject/mark on traffic to port 25 with that HELO/EHLO
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
