Page 1 of 1

EHLO localhost.localdomain

Posted: 2012-12-03 21:48
by random
Hi,

im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.

My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?

lg
random

Re: EHLO localhost.localdomain

Posted: 2012-12-03 23:13
by dzekas
random wrote:Hi,

im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.

My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?
EHLO name is legit, if connection is coming from 127.0.0.1 or any other loopback address.

If somebody is trying to bruteforce your passwords, enable autoban. It will minimize effectiveness of bruteforce password attacks regardless of used EHLO.

Re: EHLO localhost.localdomain

Posted: 2012-12-04 00:01
by random
Hi dzekas,

thank you for your reply.

The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure. :)

BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.

lg
random

Re: EHLO localhost.localdomain

Posted: 2012-12-04 00:08
by dzekas
random wrote:Hi dzekas,

thank you for your reply.

The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure. :)

BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.

lg
random
gobbledygook that comes after AUTH LOGIN line contains base64 encoded account name. See http://www.base64decode.org/

Re: EHLO localhost.localdomain

Posted: 2012-12-04 00:15
by random
Bookmarked - very useful.
Thank you.
random

Re: EHLO localhost.localdomain

Posted: 2012-12-04 01:33
by mattg
And FYI, ^Doom^s log analyser http://damnation.org.uk/log/loganalyzer.php does this as part of the analysing process