Security Incidents mailing list archives
Re: SMTP probes
From: Bojan Zdrnja <Bojan.Zdrnja () LSS hr>
Date: Sat, 5 Apr 2003 22:23:22 +1200
Original message:
From: Rich Puhek <rpuhek () etnsystems com> To: incidents () securityfocus com <incidents () securityfocus com> Date: Saturday, April 5, 2003, 7:22:23 AM Subject: SMTP probes
Has anyone else noticed an upswing in port 25 probes over the last few days?
I'm seeing fairly large quantities of connections to port 25 (on the order of one every several seconds) with no real SMTP transations (logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during connection to MTA")
Perhaps somethings probing for servers vulnerable to the recent sendmail problems?
A quick look with ngrep seems to show that a typical connection doesn't send any data, just connects to port 25 and goes away.
Although I didn't see any more empty SMTP connections on my servers than usually, this indicates at least banner grabbing. On non changed installations most SMTP servers will paste their version and/or version of configuration file. I suggest removing this from the configuration file (it can be done easily with all popular SMTP servers). Also, if you use Sendmail, do remember to remove version from other places (ie. when executing HELP command, which will usually print Sendmail version - most administrators forget to remove this). Best regards, Bojan Zdrnja ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- SMTP probes Rich Puhek (Apr 04)
- Re: SMTP probes Bojan Zdrnja (Apr 05)
- Re: SMTP probes Christine Kronberg (Apr 07)
- <Possible follow-ups>
- Re: SMTP probes Neil Dickey (Apr 05)