Security Incidents mailing list archives

Re: VRFY 000.000@my.domain

From: mtinberg () MADISON TEC WI US (Mark Tinberg)
Date: Mon, 22 May 2000 09:52:13 -0500


I saw something like this awhile ago, from some server in an Exodus facility.  Possibly some network analyzer?

Here is the snippet from my old logs.

May  1 04:10:53 mail sendmail[17672]: NOQUEUE: [216.35.49.170]: VRFY 00000096@ma
dison.tec.wi.us [rejected]
Apr 27 09:26:12 mail sendmail[7261]: NOQUEUE: [216.35.49.170]: VRFY 0000005580@m
adison.tec.wi.us [rejected]
Apr 18 20:20:39 mail sendmail[6359]: NOQUEUE: [216.35.49.170]: VRFY 0-pony-0@mad
ison.tec.wi.us [rejected]
Apr 22 22:57:33 mail sendmail[32653]: NOQUEUE: [216.35.49.170]: VRFY 000.000@mad
ison.tec.wi.us [rejected]

Eduardo Escalante  05/22/00 03:40 AM >>>

I recently got a few times some odd security alerts:

   VRFY 000.000@my.domain
   VRFY 00000096@my.domain
   VRFY 000001@my.domain
   VRFY 00000219@my.domain
   VRFY 0000028252@my.domain

Different days from the same IP. I doubt they were looking 
for valid users and half suspect some sort of weird Internet 
tool ( ala 3DNS). Maybe it is checking for a trojan?

Similar logs or info about it (or guesses ;) appreciated.

Current thread:

VRFY 000.000@my.domain Eduardo Escalante (May 19)
- <Possible follow-ups>
- Re: VRFY 000.000@my.domain Mark Tinberg (May 22)
- Re: VRFY 000.000@my.domain Lisa Saarloos (May 23)
  - Re: VRFY 000.000@my.domain Ben Laws (May 23)