Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-12-2011, 04:12 AM
|
#1
|
|
LQ Newbie
Registered: Feb 2011
Posts: 2
Rep: 
|
Exim logs spammed with large headers
Has anybody else seen this kind of attack?
I see those messages on 2 exim mailservers.
Looks as if someone sends a 50MB big mail header :S
What is their goal except from increasing my traffic?
Code:
2011-02-12 07:48:53 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns33.medialook.net [91.121.108.5] input="GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac "
2011-02-12 07:48:58 1Po9Hp-0006ZP-G0 rejected from <root@local.com> H=ns33.medialook.net (welcome.com) [91.121.108.5]: message too big: read=52719201 max=52428800
Envelope-from: <root@local.com>
Envelope-to: <postmaster@localhost>
Header0000: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Header0001: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
...
Header0054: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
*** truncated ***
Code:
zgrep welcome.com mainlog*
2011-02-12 07:48:58 1Po9Hp-0006ZP-G0 rejected from <root@local.com> H=ns33.medialook.net (welcome.com) [91.121.108.5]: message too big: read=52719201 max=52428800
2011-02-12 07:48:58 unexpected disconnection while reading SMTP command from ns33.medialook.net (welcome.com) [91.121.108.5]
2011-02-10 14:16:19 1PnWNa-00015o-4y rejected from <root@local.com> H=ns33.medialook.net (welcome.com) [91.121.108.5]: message too big: read=52718801 max=52428800
2011-02-10 14:16:19 unexpected disconnection while reading SMTP command from ns33.medialook.net (welcome.com) [91.121.108.5]
2011-02-10 15:38:09 1PnXek-00027J-Vk rejected from <root@local.com> H=vs242106.vserver.de (welcome.com) [62.75.242.106]: message too big: read=52720199 max=52428800
2011-02-10 15:38:09 unexpected disconnection while reading SMTP command from vs242106.vserver.de (welcome.com) [62.75.242.106]
2011-02-09 19:46:02 1PnF2d-0001VM-BG rejected from <root@local.com> H=usloft2185.serverloft.com (welcome.com) [173.224.120.221]: message too big: read=52719791 max=52428800
2011-02-09 19:46:03 unexpected disconnection while reading SMTP command from usloft2185.serverloft.com (welcome.com) [173.224.120.221]
2011-02-09 22:07:30 1PnHFx-0003NG-1Z rejected from <root@local.com> H=usloft2185.serverloft.com (welcome.com) [173.224.120.221]: message too big: read=52719791 max=52428800
2011-02-09 22:07:30 unexpected disconnection while reading SMTP command from usloft2185.serverloft.com (welcome.com) [173.224.120.221]
2011-02-08 22:44:45 SMTP connection from mail.parkcityhotel.ru (welcome.com) [193.138.176.4] lost while reading message data
2011-02-09 02:24:56 1PmxvT-0001Pt-PE rejected from <root@local.com> H=(welcome.com) [222.233.232.68]: message too big: read=52719018 max=52428800
2011-02-09 02:25:10 unexpected disconnection while reading SMTP command from (welcome.com) [222.233.232.68]
2011-02-06 07:27:02 1Ply5J-0000KI-2X rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52720791 max=52428800
2011-02-06 07:27:02 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-06 13:52:52 1Pm46E-0006c7-68 rejected from <root@local.com> H=(welcome.com) [91.206.30.142]: message too big: read=52720819 max=52428800
2011-02-06 13:52:53 unexpected disconnection while reading SMTP command from (welcome.com) [91.206.30.142]
2011-02-05 12:30:56 1PlgLr-0000WM-7f rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52720191 max=52428800
2011-02-05 12:30:56 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-05 13:51:38 1Plhbx-0001Y4-Ce rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52721991 max=52428800
2011-02-05 13:51:38 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-04 16:13:50 1PlNLr-0006yE-Ou rejected from <root@local.com> H=mapscomm.com (welcome.com) [74.50.51.190]: message too big: read=52719207 max=52428800
2011-02-04 16:13:50 unexpected disconnection while reading SMTP command from mapscomm.com (welcome.com) [74.50.51.190]
2011-02-03 16:16:06 1Pl0ue-00023L-Oz rejected from <root@local.com> H=vs209185.vserver.de (welcome.com) [62.75.209.185]: message too big: read=52720799 max=52428800
2011-02-03 16:16:06 unexpected disconnection while reading SMTP command from vs209185.vserver.de (welcome.com) [62.75.209.185]
2011-02-03 19:19:07 1Pl3lm-0004Ps-Ki rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52720391 max=52428800
2011-02-03 19:19:07 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-03 23:57:06 1Pl86n-0008Q4-F4 rejected from <root@local.com> H=dl169.dinaserver.com (welcome.com) [82.98.141.32]: message too big: read=52720199 max=52428800
2011-02-03 23:57:06 unexpected disconnection while reading SMTP command from dl169.dinaserver.com (welcome.com) [82.98.141.32]
|
|
|
|
|
02-12-2011, 06:02 AM
|
#3
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
Thanks for posting back your findings! (I marked the thread solved.)
|
|
|
|
|
02-12-2011, 06:05 AM
|
#4
|
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Were you running a version prior to 4.70?
If so, and this has corrected your problem, would you please mark the thread as solved? Otherwise, if you are still having problems, we can start looking for other causes. As you have noticed, there is an active thread or two regarding exim exploits. If these upgrades didn't fix your problem, your contribution to the investigation might be beneficial.
Edit: already marked solved.
|
|
|
|
|
02-12-2011, 06:08 AM
|
#5
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
Quote:
Originally Posted by Noway2
Otherwise, if you are still having problems, we can start looking for other causes. As you have noticed, there is an active thread or two regarding exim exploits. If these upgrades didn't fix your problem, your contribution to the investigation might be beneficial.
|
I agree (and next time I'll wait before marking it solved a wee bit longer).
@wulu: please see http://www.linuxquestions.org/questi...eaders-837856/ |
|
|
|
All times are GMT -5. The time now is 05:35 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
