need some OT help

I've been having an interesting (to me) problem. I'm getting auth.log
entries like this:

> May 2 14:02:15 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=be rhost=

every 10 minutes. Note the empty rhost= data. 'be' was a username -- I
got him to change it yesterday. Now I'm getting the same log entries
with the both names.

Is it possible to send an IP packet with no 'source IP address'? If so,
is pam just losing it somehow?

I get other similar entries, occasionally, like:

> May 2 11:35:46 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=tester@209 rhost=62.76.45.134

And some much more frequently, still with no rhost= info:

> May 2 00:32:10 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=anonymous rhost=

I've asked on several lists, googled, and read books. I can't figure out
what's going on. I thought the lack of rhost= indicated one of my monit
monitors. So I turned them all off, and the entries came right in.

I know there's massive IP experience on this list. security-basics
couldn't explain this, nor could SDLU. Can one (or more) of you help me
understand?

TIA...

-- Glenn English

• This message: [ Message body ]
• Next message: Gary Chambers: "Re: need some OT help"
• Previous message: Terry Barnum: "Re: [SPAM] postgrey vs postscreen"
• Next in thread: Gary Chambers: "Re: need some OT help"
• Reply: Gary Chambers: "Re: need some OT help"
• Reply: Tom Hendrikx: "Re: need some OT help"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]