Anyone else seeing massive sendmail connections seemingly for the sole purpose of a denial of service? This is less than one minute or two after a sendmail restart and we've been seeing this issue since app 6AM today.
Regards, KAM
15991 ? S 0:00 sendmail: accepting connections 16001 ? S 0:00 sendmail: Queue runner@00:05:00 for /var/spool/clientmqueue 16003 ? S 0:00 sendmail: server localhost.localdomain [127.0.0.1] startup 16011 ? S 0:00 sendmail: Queue runner@02:00:00 for /var/spool/slow-mqueue 16012 ? SN 0:00 sendmail: ./j019qwZv004520 a.mx.bmkblurb.com.: user open 16015 ? S 0:00 sendmail: server dxbmiint3.emirates.com [194.170.246.36] startup 16016 ? S 0:00 sendmail: server [202.54.102.156] startup 16018 ? S 0:00 sendmail: server [211.104.187.50] startup 16019 ? S 0:00 sendmail: server [220.120.62.88] startup 16021 ? S 0:00 sendmail: server ll194-2-26-197-204-194.ll194-2.iam.net.ma [194.204.197.26] startup 16022 ? S 0:00 sendmail: server [84.43.33.20] startup 16023 ? S 0:00 sendmail: server 82-131-132-2.vnet.hu [82.131.132.2] startup 16024 ? S 0:00 sendmail: server 64-48-158-104-den-01.cvx.algx.net [64.48.158.104] startup 16025 ? S 0:00 sendmail: server 82-41-19-162.cable.ubr03.edin.blueyonder.co.uk [82.41.19.162] startup 16027 ? S 0:00 sendmail: server ip-cust10018.telefonica-ca.net [216.184.126.18] (may be forged) startup 16028 ? S 0:00 sendmail: server [211.114.176.195] startup 16029 ? S 0:00 sendmail: server [220.125.52.195] startup 16030 ? S 0:00 sendmail: server 210-20-54-62.rev.home.ne.jp [210.20.54.62] startup 16034 ? S 0:00 sendmail: server [4.27.171.43] startup 16035 ? S 0:00 sendmail: server 13Cust29.VR2.NYC4.broadband.uu.net [63.13.166.29] startup 16038 ? S 0:00 sendmail: server localhost.localdomain [127.0.0.1] startup 16040 ? S 0:00 sendmail: server pD9E2C8C3.dip.t-dialin.net [217.226.200.195] startup 16041 ? S 0:00 sendmail: server [222.185.250.34] startup 16042 ? S 0:00 sendmail: server host013.acernautic.com [216.108.233.13] startup 16043 ? S 0:00 sendmail: server [61.172.244.215] startup 16044 ? S 0:00 sendmail: server [220.123.210.157] startup 16045 ? S 0:00 sendmail: server pool-68-163-234-71.bos.east.verizon.net [68.163.234.71] startup 16046 ? S 0:00 sendmail: server host73-186.pool8256.interbusiness.it [82.56.186.73] startup 16047 ? S 0:00 sendmail: server [210.113.49.67] startup 16048 ? S 0:00 sendmail: server c68.112.186.179.fdl.wi.charter.com [68.112.186.179] startup 16049 ? S 0:00 sendmail: server 228.70-84-59.reverse.theplanet.com [70.84.59.228] (may be forged) startup 16060 ? S 0:00 sendmail: server localhost.localdomain [127.0.0.1] startup 16061 ? S 0:00 sendmail: server [218.208.242.167] startup 16062 ? S 0:00 sendmail: server bay102-f10.bay102.hotmail.com [64.4.61.20] startup 16063 ? S 0:00 sendmail: server [65.78.254.163] startup 16064 ? S 0:00 sendmail: server 24571.bhz.virtua.com.br [200.167.245.71] startup 16065 ? S 0:00 sendmail: server [211.179.138.196] startup 16066 ? S 0:00 sendmail: server [61.166.13.4] startup 16068 ? S 0:00 sendmail: server APuteaux-153-1-40-49.w82-124.abo.wanadoo.fr [82.124.132.49] startup 16069 ? S 0:00 sendmail: server [218.233.17.169] startup 16070 ? S 0:00 sendmail: server c-24-13-203-45.client.comcast.net [24.13.203.45] startup 16071 ? S 0:00 sendmail: server bounces.ibumblebee4.com [206.71.52.13] startup 16072 ? S 0:00 sendmail: server [218.235.101.219] startup 16074 ? S 0:00 sendmail: server 181.red-213-37-181.user.auna.net [213.37.181.181] (may be forged) startup 16077 ? S 0:00 sendmail: server hermes.apache.org [209.237.227.199] startup 16078 ? S 0:00 sendmail: server dsl-201-128-126-70.prod-infinitum.com.mx [201.128.126.70] (may be forged) startup 16079 ? S 0:00 sendmail: server n1a.bulk.scd.yahoo.com [66.94.237.35] startup 16080 ? S 0:00 sendmail: server [211.185.22.81] startup 16081 ? S 0:00 sendmail: server lamx36.havagreatday.com [66.63.182.36] startup 16083 ? S 0:00 sendmail: server [211.115.116.19] startup 16084 ? S 0:00 sendmail: server [218.104.80.23] startup 16085 ? S 0:00 sendmail: server n22a.bulk.scd.yahoo.com [66.94.237.51] startup 16086 ? S 0:00 sendmail: server ns2.cube-technos.co.jp [60.32.0.83] startup 16091 ? S 0:00 sendmail: server mxsmfpool23.ebay.com [66.135.209.220] startup 16093 ? S 0:00 sendmail: server c906d0d1.virtua.com.br [201.6.208.209] startup 16100 ? S 0:00 sendmail: server [198.172.80.180] startup 16102 ? S 0:00 sendmail: server customer-reverse-entry.69.59.181.180 [69.59.181.180] (may be forged) startup 16104 ? S 0:00 sendmail: server 24571.bhz.virtua.com.br [200.167.245.71] startup 16105 ? S 0:00 sendmail: server mail6.surgant.com [64.0.201.121] startup 16106 ? S 0:00 sendmail: server [198.172.80.74] startup 16107 ? S 0:00 sendmail: server c-24-13-203-45.client.comcast.net [24.13.203.45] startup 16108 ? S 0:00 sendmail: server bay1-f26.bay1.hotmail.com [65.54.245.26] startup 16109 ? S 0:00 sendmail: server [193.129.96.138] startup 16110 ? S 0:00 sendmail: server c24.183.51.76.mad.wi.charter.com [24.183.51.76] startup 16111 ? S 0:00 sendmail: server 8.7.152.3.westgrep.info [8.7.152.3] startup 16112 ? S 0:00 sendmail: server [61.3.224.82] startup 16113 ? S 0:00 sendmail: server usen-221x253x207x69.ap-US01.usen.ad.jp [221.253.207.69] startup 16114 ? S 0:00 sendmail: server [61.177.95.216] startup 16115 ? S 0:00 sendmail: server tethys.herbagebunk.com [208.250.5.245] startup 16116 ? S 0:00 sendmail: server [216.63.195.133] startup 16117 ? S 0:00 sendmail: server cpe-069-134-008-168.carolina.rr.com [69.134.8.168] startup 16118 ? S 0:00 sendmail: server VA1-1B-u-0483.mc.onolab.com [62.42.5.228] startup 16119 ? S 0:00 sendmail: server [211.230.32.103] startup 16120 ? S 0:00 sendmail: server [218.80.102.233] startup 16122 ? S 0:00 sendmail: server adsl-67-39-207-175.dsl.bcvloh.ameritech.net [67.39.207.175] startup 16123 ? S 0:00 sendmail: server [218.14.146.51] startup 16124 ? S 0:00 sendmail: server [220.75.182.138] startup 16129 ? S 0:00 sendmail: server [220.75.220.84] startup 16132 ? S 0:00 sendmail: server [219.136.83.187] startup 16133 ? S 0:00 sendmail: server n5a.bulk.scd.yahoo.com [66.94.237.39] startup 16135 ? S 0:00 sendmail: server pool-68-162-185-58.pitt.east.verizon.net [68.162.185.58] startup 16136 ? S 0:00 sendmail: server h8024847078.dsl.speedlinq.nl [80.248.44.78] (may be forged) startup 16137 ? S 0:00 sendmail: server [221.15.5.43] startup 16141 ? S 0:00 sendmail: server [220.119.63.191] startup 16142 ? S 0:00 sendmail: server outmail-01.effectivesendinga.com [209.216.105.19] startup 16143 ? S 0:00 sendmail: server pcp07278419pcs.alico01.fl.comcast.net [69.139.62.88] startup 16144 ? S 0:00 sendmail: server [201.255.46.109] startup 16145 ? S 0:00 sendmail: server [198.172.80.157] startup 16146 ? S 0:00 sendmail: server [218.54.136.85] startup 16147 ? S 0:00 sendmail: server [221.8.150.220] startup 16149 ? S 0:00 sendmail: server [82.230.221.86] startup 16152 ? S 0:00 sendmail: server [219.240.209.90] startup 16153 ? S 0:00 sendmail: server c-24-1-43-131.client.comcast.net [24.1.43.131] startup 16155 ? S 0:00 sendmail: server e82-103-142-136s.easyspeedy.com [82.103.142.135] (may be forged) startup 16156 ? S 0:00 sendmail: server ACB6EDEF.ipt.aol.com [172.182.237.239] startup 16157 ? S 0:00 sendmail: server roc-24-169-121-161.rochester.rr.com [24.169.121.161] startup 16158 ? S 0:00 sendmail: server [218.80.30.226] startup 16160 ? S 0:00 sendmail: server [61.61.177.163] startup 16161 ? S 0:00 sendmail: server mail8.ghhijk.com [207.170.98.40] startup 16162 ? S 0:00 sendmail: server [70.214.144.253] startup 16163 ? S 0:00 sendmail: server AReims-108-1-2-130.w81-53.abo.wanadoo.fr [81.53.229.130] startup 16164 ? S 0:00 sendmail: server mta1.true.com [69.56.167.147] startup 16165 ? S 0:00 sendmail: server out014pub.verizon.net [206.46.170.46] startup 16166 ? S 0:00 sendmail: server dc2.dig-net.com [64.95.116.52] startup 16168 ? S 0:00 sendmail: server sccrmhc12.comcast.net [204.127.202.56] startup 16170 ? S 0:00 sendmail: server mail5.fundowntheroad.com [207.170.100.101] startup 16173 ? S 0:00 sendmail: server n12a.bulk.scd.yahoo.com [66.94.237.20] startup 16174 ? S 0:00 sendmail: server [217.23.183.22] startup 16175 ? S 0:00 sendmail: server AAmiens-151-1-34-3.w83-192.abo.wanadoo.fr [83.192.180.3] startup 16176 ? S 0:00 sendmail: server ppp-62-235-124-50.tiscali.be [62.235.124.50] startup 16177 ? S 0:00 sendmail: server [218.25.114.128] startup 16181 ? S 0:00 sendmail: server 22315.bsb.virtua.com.br [200.167.223.15] startup 16187 ? S 0:00 sendmail: server res-66-169-17-252.spa.sc.charter.com [66.169.17.252] startup 16188 ? S 0:00 sendmail: server [61.178.209.21] startup 16193 ? S 0:00 sendmail: server notfound [83.246.112.45] (may be forged) startup 16194 ? S 0:00 sendmail: server FLH1Adt069.tky.mesh.ad.jp [60.236.81.69] startup 16195 ? S 0:00 sendmail: server outmail-01.beerbellybargaina.com [206.71.58.12] startup 16196 ? S 0:00 sendmail: server s5.blackjackpresents.com [65.123.250.108] (may be forged) startup 16197 ? S 0:00 sendmail: server 198.red-82-158-48.user.auna.net [82.158.48.198] (may be forged) startup 16198 ? S 0:00 sendmail: server c90644d4.virtua.com.br [201.6.68.212] startup 16199 ? S 0:00 sendmail: server 217172.bsb.virtua.com.br [200.167.217.172] startup 16200 ? S 0:00 sendmail: server [211.97.156.50] startup 16201 ? S 0:00 sendmail: server cablelink5-82-77-151-202.rdstm.ro [82.77.151.202] (may be forged) startup 16202 ? S 0:00 sendmail: server [200.167.58.83] startup 16204 ? S 0:00 sendmail: server adsl-65-42-242-7.dsl.lgtpmi.ameritech.net [65.42.242.7] startup 16205 ? S 0:00 sendmail: server cm05.edoca.com [66.63.170.45] (may be forged) startup 16208 ? S 0:00 sendmail: server [203.90.160.30] startup 16209 ? S 0:00 sendmail: server cablelink5-82-77-151-202.rdstm.ro [82.77.151.202] (may be forged) startup 16216 ? S 0:00 sendmail: server adsl-69-109-31-184.dsl.renocs.nvbell.net [69.109.31.184] startup 16217 ? S 0:00 sendmail: server user-0cej18t.cable.mindspring.com [24.233.133.29] startup 16221 ? S 0:00 sendmail: server lamx33.havagreatday.com [66.63.182.33] startup 16223 ? S 0:00 sendmail: server [218.52.79.116] startup 16224 ? S 0:00 sendmail: server customer-reverse-entry.69.59.181.180 [69.59.181.180] (may be forged) startup 16225 ? S 0:00 sendmail: server [218.80.102.233] startup 16226 ? S 0:00 sendmail: server outmail-01.centralreliability.com [209.216.105.11] startup 16227 ? S 0:00 sendmail: server modemcable020.183-131-66.mc.videotron.ca [66.131.183.20] startup 16228 ? S 0:00 sendmail: server [219.252.195.7] startup 16232 ? S 0:00 sendmail: server 200-161-19-79.dsl.telesp.net.br [200.161.19.79] startup 16233 ? S 0:00 sendmail: server modemcable214.51-200-24.mc.videotron.ca [24.200.51.214] startup 16234 ? S 0:00 sendmail: server [61.8.211.107] startup 16236 ? S 0:00 sendmail: server hnllhi1-ar8-4-11-077-069.dsl-verizon.net [4.11.77.69] startup 16238 ? S 0:00 sendmail: server n17a.bulk.scd.yahoo.com [66.94.237.46] startup 16239 ? S 0:00 sendmail: server anetrelay2f.authorize.net [64.94.119.18] startup 16241 ? S 0:00 sendmail: server gailleton-1-82-67-6-76.fbx.proxad.net [82.67.6.76] startup 16242 ? S 0:00 sendmail: server ZQ206213.ppp.dion.ne.jp [222.13.206.213] startup 16244 ? S 0:00 sendmail: server adsl-215-218-32.aep.bellsouth.net [68.215.218.32] startup 16245 ? S 0:00 sendmail: server [211.207.196.53] startup 16246 ? S 0:00 sendmail: server c-24-22-47-253.client.comcast.net [24.22.47.253] startup 16247 ? S 0:00 sendmail: server 82-46-253-39.cable.ubr03.smal.blueyonder.co.uk [82.46.253.39] startup 16248 ? S 0:00 sendmail: server out008pub.verizon.net [206.46.170.108] startup 16249 ? S 0:00 sendmail: server host122-48.pool80181.interbusiness.it [80.181.48.122] startup 16250 ? S 0:00 sendmail: server [61.52.37.201] startup 16251 ? S 0:00 sendmail: server cindyloo.teamworksmedia.com [198.63.216.71] startup 16252 ? S 0:00 sendmail: server 206-81-80-237.spokane.acetechusa.com [206.81.80.237] (may be forged) startup 16253 ? S 0:00 sendmail: server ppp-61.91.78.246.revip.asianet.co.th [61.91.78.246] startup 16254 ? S 0:00 sendmail: server [221.233.211.66] startup 16255 ? S 0:00 sendmail: server bb-195-172-49-251.ukonline.co.uk [195.172.49.251] startup 16256 ? S 0:00 sendmail: server outmail-01.centralreliabilityc.com [209.216.105.14] startup 16257 ? S 0:00 sendmail: server 68.domain.tld [207.157.69.68] (may be forged) startup 16258 ? S 0:00 sendmail: server [211.227.149.108] startup 16259 ? S 0:00 sendmail: server 129.red-213-37-90.user.auna.net [213.37.90.129] (may be forged) startup 16260 ? S 0:00 sendmail: server YahooBB218112124022.bbtec.net [218.112.124.22] startup 16261 ? S 0:00 sendmail: server net-152-111-125-52.mweb.co.za [152.111.125.52] (may be forged) startup 16262 ? S 0:00 sendmail: server c-134-80-77.f.dial.de.ignite.net [62.134.80.77] startup 16266 ? S 0:00 sendmail: server [200.103.60.144] startup 16275 ? S 0:00 sendmail: server [61.255.23.78] startup 16277 ? S 0:00 sendmail: server 1.tfmbuysc.com [63.214.155.18] (may be forged) startup 16278 ? S 0:00 sendmail: server 17923191.rjo.virtua.com.br [200.179.231.91] startup 16279 ? S 0:00 sendmail: server 200141086157.user.veloxzone.com.br [200.141.86.157] startup 16294 ? S 0:00 sendmail: ./j01GF1xj016294 [127.0.0.1]: client greeting 16296 ? S 0:00 sendmail: server localhost.localdomain [127.0.0.1] startup 16297 ? S 0:00 sendmail: server user-0cet0mq.cable.mindspring.com [24.238.130.218] startup 16298 ? S 0:00 sendmail: server mail6.ghhijk.com [207.170.98.14] startup 16299 ? S 0:00 sendmail: server mail6.fundowntheroad.com [207.170.100.102] startup 16300 ? S 0:00 sendmail: server mail2.fundowntheroad.com [207.170.100.100] startup 16301 ? S 0:00 sendmail: server [210.204.11.200] startup 16302 ? S 0:00 sendmail: server mail1.fundowntheroad.com [207.170.100.97] startup 16303 ? S 0:00 sendmail: server mail3.fundowntheroad.com [207.170.100.98] startup 16304 ? S 0:00 sendmail: server mail6.fundowntheroad.com [207.170.100.102] startup 16305 ? S 0:00 sendmail: server mail4.villner.com [207.182.156.21] startup 16306 ? S 0:00 sendmail: server mail14.villner.com [207.182.156.31] startup 16307 ? S 0:00 sendmail: server mail17.villner.com [207.182.156.34] startup 16308 ? S 0:00 sendmail: server imr-m03.mx.aol.com [64.12.138.201] startup 16309 ? S 0:00 sendmail: server d4.dafoggle.com [66.154.112.244] startup 16310 ? S 0:00 sendmail: server e6.erfooble.com [66.154.112.86] startup 16311 ? S 0:00 sendmail: server [60.176.251.236] startup 16312 ? SN 0:00 sendmail: ./j01EAF5Z009256 vc.ghul-group.com.: user open 16313 ? S 0:00 sendmail: server [211.158.54.142] startup 16314 ? S 0:00 sendmail: ./j01G90ZZ015842 [127.0.0.1]: client greeting 16315 ? S 0:00 sendmail: server localhost.localdomain [127.0.0.1] startup 16316 ? S 0:00 sendmail: server dsl093-044-153.sac1.dsl.speakeasy.net [66.93.44.153] startup 16317 ? S 0:00 sendmail: server imr-m03.mx.aol.com [64.12.138.201] startup 16318 ? S 0:00 sendmail: server imr-d06.mx.aol.com [205.188.159.7] startup 16323 ? S 0:00 sendmail: server imr-d05.mx.aol.com [205.188.156.66] startup 16324 ? S 0:00 sendmail: server ppp93-67.dsl-pun.eth.net [61.11.93.67] (may be forged) startup 16325 ? S 0:00 sendmail: server [210.204.11.200] startup 16326 ? S 0:00 sendmail: server [219.251.146.109] startup 16327 ? S 0:00 sendmail: server [220.86.153.216] startup 16328 ? S 0:00 sendmail: server [222.79.166.130] startup 16330 ? S 0:00 sendmail: server [65.169.182.69] startup 16332 ? S 0:00 sendmail: server 200-187-213-184.brt.dialuol.com.br [200.187.213.184] startup 16333 ? S 0:00 sendmail: server [200.195.48.163] startup 16334 ? S 0:00 sendmail: server [200.167.58.83] startup 16335 ? S 0:00 sendmail: server [219.248.223.170] startup 16336 ? S 0:00 sendmail: server [211.116.25.117] startup 16337 ? S 0:00 sendmail: server [200.166.30.2] startup 16338 ? S 0:00 sendmail: server [60.222.36.251] startup 16339 ? S 0:00 sendmail: server dhcp024-209-077-079.woh.rr.com [24.209.77.79] startup 16340 ? S 0:00 sendmail: server lamx33.havagreatday.com [66.63.182.33] startup 16341 ? S 0:00 sendmail: server [221.146.163.52] startup 16342 ? S 0:00 sendmail: server pcp01451742pcs.chmbrs01.pa.comcast.net [68.83.40.197] startup 16343 ? S 0:00 sendmail: server adsl-68-255-77-60.dsl.lgtpmi.ameritech.net [68.255.77.60] startup 16344 ? S 0:00 sendmail: server d172.dhcp212-198-132.noos.fr [212.198.132.172] startup 16345 ? S 0:00 sendmail: server dup-148-221-127-252.prodigy.net.mx [148.221.127.252] startup 16346 ? S 0:00 sendmail: server 201-1-168-214.dsl.telesp.net.br [201.1.168.214] (may be forged) startup 16347 ? S 0:00 sendmail: server meaningful.inboxrebates3.com [67.134.43.8] startup 16348 ? S 0:00 sendmail: server 200-98-109-253.tlf.dialuol.com.br [200.98.109.253] startup 16350 ? S 0:00 sendmail: startup with 218.198.33.24 16355 ? S 0:00 sendmail: server pcp07278419pcs.alico01.fl.comcast.net [69.139.62.88] startup 16357 ? S 0:00 sendmail: server 200-168-11-193.dial-up.telesp.net.br [200.168.11.193] (may be forged) startup
Hi!
Anyone else seeing massive sendmail connections seemingly for the sole purpose of a denial of service? This is less than one minute or two after a sendmail restart and we've been seeing this issue since app 6AM today.
[210.20.54.62] startup 16034 ? S 0:00 sendmail: server [4.27.171.43] startup 16035 ? S 0:00 sendmail: server 13Cust29.VR2.NYC4.broadband.uu.net [63.13.166.29] startup 16038 ? S 0:00 sendmail: server localhost.localdomain [127.0.0.1] startup 16040 ? S 0:00 sendmail: server pD9E2C8C3.dip.t-dialin.net [217.226.200.195] startup 16041 ? S 0:00 sendmail: server [222.185.250.34] startup 16042 ? S 0:00 sendmail: server host013.acernautic.com [216.108.233.13] startup 16043 ? S 0:00 sendmail: server [61.172.244.215] startup
This isnt something to discuss on the SURBL list, but it looks like you either have a dictionary attack going on.
You could contact me offlist if you wanna send in more details.
If would suggest blocking with DSBL or something simillar on MTA level. Since sa lot of those seem to be open proxy's on dailup systems.
Bye, Raymond.
-
Kevin A. McGrail -
Raymond Dijkxhoorn