From: Neil Dickey (neilgeol.niu.edu)
Date: Fri Apr 04 2003 - 23:09:04 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rich Puhek <rpuheketnsystems.com> wrote asking:

>Has anyone else noticed an upswing in port 25 probes over the last few days?

They aren't very common hereabouts, but I am seeing a few. Six months
ago there weren't any, and there hadn't been any literally for years.

>I'm seeing fairly large quantities of connections to port 25 (on the
>order of one every several seconds) with no real SMTP transations
>(logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during
>connection to MTA")

That's what the old "null connection" error looks like in newer versions
of Sendmail.

>Perhaps somethings probing for servers vulnerable to the recent sendmail
>problems?

Or looking for an open relay. There are probably too many of them still
out there.

>A quick look with ngrep seems to show that a typical connection doesn't
>send any data, just connects to port 25 and goes away.

Yes. You can duplicate the log message by telnetting to port 25 on
a machine running Sendmail, and then closing the connection without
issuing any commands. This will show you what the scanner is getting
out of that null connection -- the version of Sendmail you're running.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]