Re: SMTP probes

[Neil Dickey <neil () geol niu edu>]

Rich Puhek <rpuhek () etnsystems com> wrote asking:

> Has anyone else noticed an upswing in port 25 probes over the last few days?

They aren't very common hereabouts, but I am seeing a few.  Six months
ago there weren't any, and there hadn't been any literally for years.

> I'm seeing fairly large quantities of connections to port 25 (on the 
> order of one every several seconds) with no real SMTP transations 
> (logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during 
> connection to MTA")

That's what the old "null connection" error looks like in newer versions
of Sendmail.

> Perhaps somethings probing for servers vulnerable to the recent sendmail 
> problems?

Or looking for an open relay.  There are probably too many of them still
out there.

> A quick look with ngrep seems to show that a typical connection doesn't 
> send any data, just connects to port 25 and goes away.

Yes.  You can duplicate the log message by telnetting to port 25 on
a machine running Sendmail, and then closing the connection without
issuing any commands.  This will show you what the scanner is getting
out of that null connection -- the version of Sendmail you're running.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents