I came across a few entries that I haven't ecountered before while looking at my messages.log. Can anyone explain to me what this means? Code: 00:52:48 domain.com [64.118.95.188] (may be forged): QUIT[3116]: domain.com [123.123.123.188] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA 00:53:02 smtp(pam_unix)[3124]: check pass; user unknown 00:53:02 smtp(pam_unix)[3124]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= There were thousands of these messages. I'm assuming someone is attempting a dictionary attack on the SMTP server; so they can use it to spam I guess. I wasn't worried about it but two unique entries amongst thousands from this domain in mail.log got my interest. They are the entries with sendmail[9498]. These are the entries in mail.log: Code: 15:00:46 sendmail[8655]: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=domain.com [123.123.123.113] (may be forged) 15:26:37 sendmail[9498]: STARTTLS=server, relay=domain.com [123.123.123.20] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 15:26:37 sendmail[9498]: from=<>, size=12076, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=domain.com [123.123.123.20] (may be forged) 08:58:30 sendmail[8220]: domain.com [64.118.95.188] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA There are thousands of entries (excluding sendmail[9498]) and the domain always stays the same, however, the ip address changes as shown above. What's going on here?
Spammers are trying to find out if they can use your server for spamming. If you use SMTP-AUTH and strong passwords, I don't think they will succeed.
