EHLO localhost.localdomain

[random]

Hi,

im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.

My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?

lg
random

[dzekas]

Hi,

im my logs are many entries with "EHLO localhost.localdomain" and after that a "AUTH LOGIN".
The authentification fails and by the way I do not belive that this is a legitimate user.

My questions:
- Ist EHLO localhost.localdomain a legit domain name?
- Can I close the connection based on the submitted ELHO?

EHLO name is legit, if connection is coming from 127.0.0.1 or any other loopback address.

If somebody is trying to bruteforce your passwords, enable autoban. It will minimize effectiveness of bruteforce password attacks regardless of used EHLO.

[random]

Hi dzekas,

thank you for your reply.

The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure.

BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.

lg
random

[dzekas]

Hi dzekas,

thank you for your reply.

The ELHO is not originating from localhost. I think it is a not entirely correct configured mailserver or mailclient.
Autoban is now on. Just to be sure.

BTW: How can I see the account name that is probed? It is not shown up in the logs as far as I see.

lg
random

gobbledygook that comes after AUTH LOGIN line contains base64 encoded account name. See http://www.base64decode.org/

[random]

http://www.base64decode.org/

Bookmarked - very useful.
Thank you.
random

[mattg]

And FYI, ^Doom^s log analyser http://damnation.org.uk/log/loganalyzer.php does this as part of the analysing process