IMAP scans? Something going on I should know about?

[James Lay <jlay () slave-tothe-box net>]

Hey all!

Here's a snippet:

Aug 14 07:44:28 homebox kernel: New,invalid TCP: IN=eth0 OUT=
MAC=00:04:75:80:dc:08:00:0f:90:27:ef:34:08:00 SRC=24.80.174.230
DST=24.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50579 DF
PROTO=TCP SPT=2796 DPT=143 WINDOW=64240 RES=0x00 SYN URGP=0 

Aug 14 07:44:29 homebox kernel: New,invalid TCP: IN=eth0 OUT=
MAC=00:04:75:80:dc:08:00:0f:90:27:ef:34:08:00 SRC=24.80.174.230
DST=24.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50631 DF
PROTO=TCP SPT=2796 DPT=143 WINDOW=64240 RES=0x00 SYN URGP=0 

Aug 14 07:44:29 homebox kernel: New,invalid TCP: IN=eth0 OUT=
MAC=00:04:75:80:dc:08:00:0f:90:27:ef:34:08:00 SRC=24.80.174.230
DST=24.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50673 DF
PROTO=TCP SPT=2796 DPT=143 WINDOW=64240 RES=0x00 SYN URGP=0 

Aug 14 07:59:08 homebox kernel: New,invalid TCP: IN=eth0 OUT=
MAC=00:04:75:80:dc:08:00:0f:90:27:ef:34:08:00 SRC=24.83.33.74
DST=24.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15538 DF
PROTO=TCP SPT=4348 DPT=143 WINDOW=64240 RES=0x00 SYN URGP=0

Been seeing a fair amount of these this month:

August: 83 from 24 unique IP's
July:   1
June:   3
Jan, Feb, Mar, Apr, May:        0

Source IP list for August:
SRC=12.178.35.191
SRC=209.94.22.195
SRC=24.102.12.114
SRC=24.106.4.77
SRC=24.107.229.150
SRC=24.107.235.39
SRC=24.108.150.186
SRC=24.109.213.228
SRC=24.109.23.104
SRC=24.109.60.128
SRC=24.109.8.67
SRC=24.112.12.86
SRC=24.112.136.44
SRC=24.115.147.143
SRC=24.116.114.189
SRC=24.75.96.120
SRC=24.78.222.122
SRC=24.80.174.230
SRC=24.81.177.89
SRC=24.83.210.128
SRC=24.83.33.74
SRC=24.86.90.126
SRC=24.99.121.15
SRC=24.99.158.40
SRC=66.98.248.10

Anything going on out there that I've missed?  Thanks!

James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/