Security Incidents mailing list archives
Re: SMTP probes
From: Neil Dickey <neil () geol niu edu>
Date: Fri, 4 Apr 2003 23:09:04 -0600 (CST)
Rich Puhek <rpuhek () etnsystems com> wrote asking:
Has anyone else noticed an upswing in port 25 probes over the last few days?
They aren't very common hereabouts, but I am seeing a few. Six months ago there weren't any, and there hadn't been any literally for years.
I'm seeing fairly large quantities of connections to port 25 (on the order of one every several seconds) with no real SMTP transations (logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during connection to MTA")
That's what the old "null connection" error looks like in newer versions of Sendmail.
Perhaps somethings probing for servers vulnerable to the recent sendmail problems?
Or looking for an open relay. There are probably too many of them still out there.
A quick look with ngrep seems to show that a typical connection doesn't send any data, just connects to port 25 and goes away.
Yes. You can duplicate the log message by telnetting to port 25 on a machine running Sendmail, and then closing the connection without issuing any commands. This will show you what the scanner is getting out of that null connection -- the version of Sendmail you're running. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- SMTP probes Rich Puhek (Apr 04)
- Re: SMTP probes Bojan Zdrnja (Apr 05)
- Re: SMTP probes Christine Kronberg (Apr 07)
- <Possible follow-ups>
- Re: SMTP probes Neil Dickey (Apr 05)