Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.eng.convex.com!newshost.convex.com!newsgate.duke.edu!news.mathworks.com!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news From: j@uriah.heep.sax.de (J Wunsch) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Mail......What does this mean?? Date: 13 Jul 1996 11:51:30 GMT Organization: Private BSD site, Dresden Lines: 44 Message-ID: <4s82k2$n33@uriah.heep.sax.de> References: <31e6811d.21963902@news.hq.af.mil> Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) NNTP-Posting-Host: localhost.heep.sax.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: knews 0.9.6 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E sgregory@pubspo.hq.af.mil (Scott Gregory) wrote: > Three lines like this (names have been changed to protect the guilty > :-) ) appeared in my /var/log/maillog. > > Jul 12 10:38:43 my.sys.name sendmail[17654]: foo.bar > [123.123.123.123]: vrfy lhammer > > Each entry had a different last word (I assume this is a username?). Yep, it's a (supposed to be) username. > What does this mean?? I know date, time, sys name, log entry, > offending system, translated address, but what are they doing with > "vrfy lhammer" The VRFY command asks sendmail to verify that a particular address could be delivered. Likewise, the EXPN command requests a possible expansion of alias lists. Both are described in the SMTP RFCs. > Is this a security concern?? I'm STILL new at this so please explain > in detail. If you see an extended amount of them, and you have a reason to distrust the originator, yes, it may be a security concern. (That's why they are being logged.) It looks like somebody was trying to probe for some usernames in order to get a list of possible accounts on your system. Once he's got this list, he might try to abuse the accounts. So watch out all your messages about LOGIN FAILURE's. FreeBSD is rather paranoid about logging them, you are allowed for just one mistyped username or password before it's going to be logged. Note that you could tell syslogd to pop up all these (login failure, bad SU etc.) messages onto your terminals where you are logged in. Makes for a good security alert scenario. The potential intruder is being announced to you even before he could issue a single `ls' or `who'. :-)) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)