Re: Re: Odd sendmail behavior

[Nigel Frankcom <nigel () blue-canoe net>]

Just a thought....
Could it be a probe for a webmail interface?

On Thu, 05 Sep 2002 13:07:29 -0700, you wrote:

> At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote:
>
> > I saved a full session of one of the attempts on my local machine (seven
> > packets worth) from ethereal. There was also an initial attempt to validate
> > as user "tcpwrappers" which I found a bit odd. Those are the only things
> > beyond log entries, and of course the packets are incomplete (since the
> > attempts were blocked). The odd and unique thing is that the initial
> > payload was:
> >
> > > GET http://www.yahoo.com/ HTTP/1.1
> > > Host: www.yahoo.com
> > > Accept: */*
> > > Pragma: no-cache
> > > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
>
> That looks like someone scanning for a proxy server.  Typically these scans 
> are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found 
> a reason to look for proxy servers on SMTP ports.
>
> Michael Katz
> mike () procinct com
> Procinct Security
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com