|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Checking for sendmail attacks (was Re: SA-03:04.sendmail Bin Update)
From: Mike Tancsa (mike
sentex.net)
Date: Tue Mar 04 2003 - 13:13:59 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
210.157.1.15 is where the spam was coming from. I checked the actual
message, and its just plain old spam. Looking through past logs, we get
lots of crap from that /24
Feb 27 02:30:37 smtp1 sendmail[32992]: h1R7UZqj032992:
from=<nobodycgi05.interq.net>, size=1351, class=0, nrcpts=1,
msgid=<200302270730.QAA04061cgi05.interq.net>, proto=ESMTP, daemon=MTA,
relay=cgi05.interq.net [210.157.1.6]
Feb 27 02:30:40 smtp1 sendmail[32994]: h1R7UZqj032992:
to=<arthurmssentex.net>, delay=00:00:04, xdelay=00:00:03, mailer=esmtp,
pri=30719, relay=spamscanner.sentex.ca. [64.7.128.115], dsn=2.0.0,
stat=Sent (h1R7Ub5J048839 Message accepted for delivery)
smtp1#
its probably just an open relay, or a spam friendly network.... However,
the way that they are formatting the spam seems to trigger the log message.
At 01:53 PM 04/03/2003 -0500, Geoffrey wrote:
> I've been seeing attempted traffic from 218.50.225.80 since 6 am
>est to my port 25 at 3 hr intervals. Other traffic from 218.50 (139, 111)
>suggests something else odd from that net is not cool.
> Have you been able to pick out an originating ip?
There are so many worms and people scanning, its like cosmic background
radiation. In fact, if there were not hits on those other ports
(139,111,161,80) against my network I would be more alarmed as I would
think my network had been black-holed....
---Mike
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]