Firewall Wizards mailing list archives
Spoofed SMTP _outbound_
From: "Jay Epperson" <jepperso () mail vak12ed edu>
Date: Wed, 16 Jan 2002 16:13:40 -0500
We're seeing source-spoofed traffic outbound from one of our segments to the SMTP port on a variety of outside addresses. The denials are like: denied tcp 99.99.99.9(1328) -> 00.00.00.159(25), 138 packets (not the real network numbers) Where the source address cycles through all addresses on the IP segment (1-254) and the destination stays fixed through such a run. Since the majority of the source addresses don't actually exist on our network, it smells like part of a DOS, or a one-way vulnerability attack intended to open up access to the target from somewhere besides here. Still working to capture enough information to identify the actual source platform, but if anyone can tell us what kind of animal we might be tracking, it could help. Boxes on the segment are all either Linux (new), HP-UX (mature), or AIX (ancient). Thanks for any help. Apologies in advance if this is an inappropriate posting for this forum. regards, j. jepperso () mail vak12ed edu _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Spoofed SMTP _outbound_ Jay Epperson (Jan 16)
- <Possible follow-ups>
- RE: Spoofed SMTP _outbound_ Karl Vogel (Jan 17)
- Re: Spoofed SMTP _outbound_ Antonomasia (Jan 18)
- Re: Spoofed SMTP _outbound_ epperson (Jan 23)