Today I noticed that my connection was a little slow and found that sendmail had a load of connections to different ips. When I looked at the log what I saw was alot of this:

Jun 28 15:46:03 bunny sendmail[29699]: h5SJVNNm029699: from=<5617l2xxs758y@ms32.hinet.net>, size=0, class=0, nrcpts=0, proto=
ESMTP, daemon=MTA, relay=NK219-91-21-8.adsl.pl.apol.com.tw [219.91.21.8]
Jun 28 15:46:03 bunny sendmail[29594]: h5SJLURR029594: from=<87mezyt768@ms28.hinet.net>, size=0, class=0, nrcpts=0, proto=ESM
TP, daemon=MTA, relay=NK219-91-21-8.adsl.pl.apol.com.tw [219.91.21.8]
Jun 28 15:46:04 bunny sendmail[29292]: h5SIq0xL029292: ruleset=check_rcpt, arg1=<changyun@seed.net.tw>, relay=[203.69.118.19]
, reject=550 5.7.1 <changyun@seed.net.tw>... Relaying denied. IP name lookup failed [203.69.118.19]
Jun 28 15:46:04 bunny sendmail[29791]: h5SJfLKO029791: ruleset=check_rcpt, arg1=<yu312@pchome.com.tw>, relay=NK219-91-21-8.ad
sl.pl.apol.com.tw [219.91.21.8], reject=550 5.7.1 <yu312@pchome.com.tw>... Relaying denied
Jun 28 15:46:04 bunny sendmail[29292]: h5SIq0xL029292: from=<steve@66.58.43.12>, size=0, class=0, nrcpts=0, proto=ESMTP, daem
on=MTA, relay=[203.69.118.19]
Jun 28 15:46:05 bunny sendmail[29699]: h5SJVNNn029699: ruleset=check_rcpt, arg1=<nriqaycf@yahoo.com.tw>, relay=NK219-91-21-8.
adsl.pl.apol.com.tw [219.91.21.8], reject=550 5.7.1 <nriqaycf@yahoo.com.tw>... Relaying denied
Jun 28 15:46:05 bunny sendmail[29292]: h5SIq0xM029292: ruleset=check_rcpt, arg1=<changyun@seed.net.tw>, relay=[203.69.118.19]
, reject=550 5.7.1 <changyun@seed.net.tw>... Relaying denied. IP name lookup failed [203.69.118.19]
Jun 28 15:46:05 bunny sendmail[29791]: h5SJfLKO029791: from=<324cik3a39@ms36.hinet.net>, size=0, class=0, nrcpts=0, proto=ESM
TP, daemon=MTA, relay=NK219-91-21-8.adsl.pl.apol.com.tw [219.91.21.8]
Jun 28 15:46:05 bunny sendmail[29594]: h5SJLURS029594: ruleset=check_rcpt, arg1=<wifp@yahoo.com.tw>, relay=NK219-91-21-8.adsl
.pl.apol.com.tw [219.91.21.8], reject=550 5.7.1 <wifp@yahoo.com.tw>... Relaying denied


Most of the attempts I could find a relaying denied line for but not all of them. Any chance that any got through?

Most of the relay attempts had hinet.net from address or from addresses consisting of the username steve and then an ip number.
Questions:
What was this guy trying to do? His messages werent being relayed so what was the point in persisting?

I have a dynamic ip with a dynamic dns hostname, the above is from my desktop machine. To give an idea of the extent of the problem:

cat info|grep "Relaying denied"|grep -c "Jun 28"
106408

Well first of all. Do not worry regarding those relaying denied issues. This is pretty normal in these days on the internet. It is possible that this is a attack which is issued at you but it doesn't have to be the case due your dynamic ip.

I assume that the user before you got that ip had an open relay server and thus those many attempts to send mail over your host.

Duh! Of course, that hadnt even occurred to me. Thanks.

You may want to consider putting in a firewall rule to block incoming connections from those IP addresses or networks. Chances are slim to none that any of those 100000 relay attempts are legitimate email.

Their in my sendmail access file with a REJECT flag. I think that might do it. Though I thought about a snort rule that would keep track of attempts too.
Rather than drop or reject them at the firewall Id like to keep detailed track of a next attempt if their is one.