Security Incidents mailing list archives

Re: VRFY 000.000@my.domain

From: ms_mol () DDS NL (Lisa Saarloos)
Date: Tue, 23 May 2000 11:29:28 +0200


Hello,

Got the same messages in the logs here, seems to be something
automated... Although it's being rejected, I still want to know what it
is and where  it's coming from...

Apr 25 18:34:15 ourhost sendmail[1741]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 000.000 () domain1 nl [rejected]
Apr 26 05:18:19 ourhost sendmail[6412]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 000.000 () domain2 nl [rejected]
May  3 17:01:40 ourhost sendmail[20558]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 00000096 () domain1 nl [rejected]
May  4 02:25:08 ourhost sendmail[26770]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 00000096 () domain2 nl [rejected]
May 12 05:53:12 ourhost sendmail[9647]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 00000219 () domain1 nl [rejected]
May 12 16:02:02 ourhost sendmail[28276]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 00000219 () domain2 nl [rejected]
May 19 22:05:52 ourhost sendmail[5763]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 0000041802 () domain1 nl [rejected]
May 20 06:24:15 ourhost sendmail[8580]: NOQUEUE:
IDENT:root@[216.35.49.170]: VRFY 0000041802 () domain2 nl[rejected]

jamie

| -----Original Message-----
| From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
| Behalf Of Mark Tinberg
| Sent: maandag 22 mei 2000 16:52
| To: INCIDENTS () SECURITYFOCUS COM
| Subject: Re: VRFY 000.000@my.domain
|
|
| I saw something like this awhile ago, from some server in an
| Exodus facility.  Possibly some network analyzer?
|
| Here is the snippet from my old logs.
|
| May  1 04:10:53 mail sendmail[17672]: NOQUEUE: [216.35.49.170]:
| VRFY 00000096@ma
| dison.tec.wi.us [rejected]
| Apr 27 09:26:12 mail sendmail[7261]: NOQUEUE: [216.35.49.170]:
| VRFY 0000005580@m
| adison.tec.wi.us [rejected]
| Apr 18 20:20:39 mail sendmail[6359]: NOQUEUE: [216.35.49.170]:
| VRFY 0-pony-0@mad
| ison.tec.wi.us [rejected]
| Apr 22 22:57:33 mail sendmail[32653]: NOQUEUE: [216.35.49.170]:
| VRFY 000.000@mad
| ison.tec.wi.us [rejected]
|
| >>> Eduardo Escalante  05/22/00 03:40 AM >>>
| I recently got a few times some odd security alerts:
|
|    VRFY 000.000@my.domain
|    VRFY 00000096@my.domain
|    VRFY 000001@my.domain
|    VRFY 00000219@my.domain
|    VRFY 0000028252@my.domain
|
| Different days from the same IP. I doubt they were looking
| for valid users and half suspect some sort of weird Internet
| tool ( ala 3DNS). Maybe it is checking for a trojan?
|
| Similar logs or info about it (or guesses ;) appreciated.
|

Current thread:

VRFY 000.000@my.domain Eduardo Escalante (May 19)
- <Possible follow-ups>
- Re: VRFY 000.000@my.domain Mark Tinberg (May 22)
- Re: VRFY 000.000@my.domain Lisa Saarloos (May 23)
  - Re: VRFY 000.000@my.domain Ben Laws (May 23)