Firewall Wizards mailing list archives

Spoofed SMTP _outbound_

From: "Jay Epperson" <jepperso () mail vak12ed edu>
Date: Wed, 16 Jan 2002 16:13:40 -0500

We're seeing source-spoofed traffic outbound from one of our segments to the SMTP port on a variety of outside 
addresses.  The denials are like:

denied tcp 99.99.99.9(1328) -> 00.00.00.159(25), 138 packets

(not the real network numbers)
Where the source address cycles through all addresses on the IP segment (1-254) and the destination stays fixed through 
such a run.  Since the majority of the source addresses don't actually exist on our network, it smells like part of a 
DOS, or a one-way vulnerability attack intended to open up access to the target from somewhere besides here.  Still 
working to capture enough information to identify the actual source platform, but if anyone can tell us what kind of 
animal we might be tracking, it could help.  Boxes on the segment are all either Linux (new), HP-UX (mature), or AIX 
(ancient).

Thanks for any help.  Apologies in advance if this is an inappropriate posting for this forum.

regards,
j.
jepperso () mail vak12ed edu

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Spoofed SMTP _outbound_ Jay Epperson (Jan 16)
- <Possible follow-ups>
- RE: Spoofed SMTP _outbound_ Karl Vogel (Jan 17)
- Re: Spoofed SMTP _outbound_ Antonomasia (Jan 18)
- Re: Spoofed SMTP _outbound_ epperson (Jan 23)