Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Attacks on port 25

From: ryan () SECURITYFOCUS COM (Ryan Russell)
Date: Fri, 26 May 2000 14:27:32 -0700

On Fri, 26 May 2000, Vincent Lim wrote:


=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 26 11:01:27 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
f139.law8.hotmail.com/216.33.241.139 to TCP port: 25


Well, basiclly it's indicating that you're getting connections to port
25.  This would indicate people probing for mail servers.  This might be
considered hostile *IF* you're not running a mail server.  I suspect
you're running a mail server on that port, and other mail servers are just
trying to send you mail.  By alerting on and blocking these machines,
you're cutting your mail access off.


May 26 11:28:21 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
lists.securityfocus.com/207.126.127.68 to TCP port: 25
May 26 11:28:21 pop3 portsentry[358]: attackalert: Host:
lists.securityfocus.com/207.126.127.68 is already blocked Ignoring

As you can see... list.securityfocus.com is among the attackers.
What could this mean?


It means you're subscribed to one of our lists... and you're probably not
going to get this reply. :)

I can say pretty confidently that we're not attacking you in any way.  I
think you're just monitoring for acticivty which could be suspicious on a
non-mail server, but is just fine on a machine that is supposed to get
mail.

                                        Ryan
Previous By Date Next
Previous By Thread Next

Current thread: