Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMTP probes

From: Bojan Zdrnja <Bojan.Zdrnja () LSS hr>
Date: Sat, 5 Apr 2003 22:23:22 +1200
Original message:



From:    Rich Puhek <rpuhek () etnsystems com>
To:      incidents () securityfocus com <incidents () securityfocus com>
Date:    Saturday, April 5, 2003, 7:22:23 AM
Subject: SMTP probes



Has anyone else noticed an upswing in port 25 probes over the last few days?



I'm seeing fairly large quantities of connections to port 25 (on the 
order of one every several seconds) with no real SMTP transations 
(logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during 
connection to MTA")



Perhaps somethings probing for servers vulnerable to the recent sendmail 
problems?



A quick look with ngrep seems to show that a typical connection doesn't 
send any data, just connects to port 25 and goes away.


Although I didn't see any more empty SMTP connections on my servers than
usually, this indicates at least banner grabbing.
On non changed installations most SMTP servers will paste their version and/or
version of configuration file.

I suggest removing this from the configuration file (it can be done easily with
all popular SMTP servers). Also, if you use Sendmail, do remember to remove
version from other places (ie. when executing HELP command, which will usually
print Sendmail version - most administrators forget to remove this).

Best regards,

Bojan Zdrnja


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
Previous By Date Next
Previous By Thread Next

Current thread: