|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jester, Allen (AJester_at_chpk.com)
Date: Tue Nov 19 2002 - 15:18:07 CST
jonathan.schimkaitis
pfpc.com
-----Original Message-----
From: snort-users-requestlists.sourceforge.net
[mailto:snort-users-requestlists.sourceforge.net]
Sent: Tuesday, November 19, 2002 3:04 PM
To: snort-userslists.sourceforge.net
Subject: Snort-users digest, Vol 1 #2508 - 4 msgs
Send Snort-users mailing list submissions to
snort-userslists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-requestlists.sourceforge.net
You can reach the person managing the list at
snort-users-adminlists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. GNUTELLA goes berserk (Distribution Lists)
2. RE: spam (Distribution Lists)
3. RE: spam (Don)
4. RE: spam (Chris Merkel)
--__--__--
Message: 1
Date: Tue, 19 Nov 2002 13:33:20 -0600 (CST)
From: "Distribution Lists" <dist-listse-securenetworks.net>
To: <snort-userslists.sourceforge.net>
Subject: [Snort-users] GNUTELLA goes berserk
I noticed this a while back. Every now and then snort will pick up lots of
portscan on port 6346, which is used by Gnutella.
I know that that there are users on my private LAN that use Gnutella, but
not at the times that Snort has detected the portscans.
Has anyone seen anything similar ?
Any explanation to this ?
07/24-03:26:00.670670 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-03:30:29.695242 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-03:31:34.950557 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-03:32:42.764238 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-03:33:40.086794 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-03:35:41.910639 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-03:36:51.916230 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-14:51:24.972247 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-14:54:22.552018 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-14:57:36.724448 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-15:19:40.723331 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-15:22:12.266157 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-15:27:32.316704 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-15:28:36.327405 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-15:29:40.338466 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-15:31:20.204561 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-16:19:59.870509 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-16:23:56.688415 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
07/24-16:28:48.996486 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED to
port 6346 from 148.63.173.101 (STEALTH) [**]
--__--__--
Message: 2
Date: Tue, 19 Nov 2002 13:36:46 -0600 (CST)
Subject: RE: [Snort-users] spam
From: "Distribution Lists" <dist-listse-securenetworks.net>
To: <Keith.McCammoneadvancemed.com>
Cc: <snort-userslists.sourceforge.net>
Report those AOL MTA's to mail-abuse, get them added to the RBL database.
That will teach AOL :)
> Wow. Spam.
>
>> -----Original Message-----
>> From: Ted Stringer [mailto:TedSlancasterlawyers.com]
>> Sent: Tuesday, November 19, 2002 11:19 AM
>> To: snort-userslists.sourceforge.net
>> Subject: [Snort-users] spam
>>
>>
>> I was just wondering if anyone else was getting spam from AOL
>> mail servers with the from address the same as the to
>> address. This just started showing up in my bosses mail box.
>>
>> Ted Stringer
>> tedslancasterlawyers.com
>> Systems Administrator
>> Lancaster & Eure P.A.
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by: To learn the basics of securing
>> your web site with SSL, click here to get a FREE TRIAL of a Thawte
>> Server Certificate: http://www.gothawte.com/rd524.html
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=ort-users
>>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: To learn the basics of securing your
> web site with SSL, click here to get a FREE TRIAL of a Thawte Server
> Certificate: http://www.gothawte.com/rd524.html
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
--__--__--
Message: 3
From: "Don" <DonWeberOnTheWeb.com>
To: <snort-userslists.sourceforge.net>
Subject: RE: [Snort-users] spam
Date: Tue, 19 Nov 2002 11:40:06 -0800
someone is trying to use your mailserver as a gateway, it is a common
spammer technique to use the localhost as the from address for spam, and
basically your mail server has no anti-spam measures in place, get me off
list and i can point you in a good direction to help alleviate that.
don at weberontheweb dot com
> >-----Original Message-----
> >From: snort-users-adminlists.sourceforge.net
> >[mailto:snort-users-adminlists.sourceforge.net]On Behalf Of Ted
> >Stringer
> >Sent: Tuesday, November 19, 2002 10:33 AM
> >To: McCammon, Keith; snort-userslists.sourceforge.net
> >Subject: RE: [Snort-users] spam
> >
> >
> >I know it was kinda a moronic (is that a word) question. The
> >thing that got my interest was the using the same address in the
> >from and to fields. I just thought it might be something new
> >that the spammers were tring to get by blacklists.
> >
> >Ted Stringer
> >tedslancasterlawyers.com
> >Systems Administrator
> >Lancaster & Eure P.A.
> >
> >-----Original Message-----
> >From: McCammon, Keith [mailto:Keith.McCammoneadvancemed.com]
> >Sent: Tuesday, November 19, 2002 13:17
> >To: snort-userslists.sourceforge.net
> >Subject: RE: [Snort-users] spam
> >
> >
> >Wow. Spam.
> >
> >> -----Original Message-----
> >> From: Ted Stringer [mailto:TedSlancasterlawyers.com]
> >> Sent: Tuesday, November 19, 2002 11:19 AM
> >> To: snort-userslists.sourceforge.net
> >> Subject: [Snort-users] spam
> >>
> >>
> >> I was just wondering if anyone else was getting spam from AOL
> >> mail servers with the from address the same as the to
> >> address. This just started showing up in my bosses mail box.
> >>
> >> Ted Stringer
> >> tedslancasterlawyers.com
> >> Systems Administrator
> >> Lancaster & Eure P.A.
> >>
> >>
> >> -------------------------------------------------------
> >> This sf.net email is sponsored by: To learn the basics of securing
> >> your web site with SSL, click here to get a FREE TRIAL of a Thawte
> >> Server Certificate: http://www.gothawte.com/rd524.html
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-userslists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >>
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by: To learn the basics of securing
> >your web site with SSL, click here to get a FREE TRIAL of a Thawte
> >Server Certificate: http://www.gothawte.com/rd524.html
> >_______________________________________________
> >Snort-users mailing list
> >Snort-userslists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by: To learn the basics of securing
> >your web site with SSL, click here to get a FREE TRIAL of a Thawte
> >Server Certificate: http://www.gothawte.com/rd524.html
> >_______________________________________________
> >Snort-users mailing list
> >Snort-userslists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >
--__--__--
Message: 4
From: Chris Merkel <chrismgeo-synthetics.com>
To: snort-userslists.sourceforge.net
Subject: RE: [Snort-users] spam
Date: Tue, 19 Nov 2002 13:54:47 -0600
Anyone can do this, there's no trickiness invloved:
From: spammeraol.com
To: spammeraol.com
Bcc: yourbossshouldbeusingaol.com, everyoneelse.com, etc.
The message that comes through looks exactly like the one you described.
Nothing wrong with sending mail to yourself, especially is you have multiple
personalities like me (and me).
;-)
Chris Merkel
> -----Original Message-----
> From: Ted Stringer [mailto:TedSlancasterlawyers.com]
> Sent: Tuesday, November 19, 2002 12:33 PM
> To: McCammon, Keith; snort-userslists.sourceforge.net
> Subject: RE: [Snort-users] spam
>
>
> I know it was kinda a moronic (is that a word) question. The
> thing that got my interest was the using the same address in
> the from and to fields. I just thought it might be something
> new that the spammers were tring to get by blacklists.
>
> Ted Stringer
> tedslancasterlawyers.com
> Systems Administrator
> Lancaster & Eure P.A.
>
> -----Original Message-----
> From: McCammon, Keith [mailto:Keith.McCammoneadvancemed.com]
> Sent: Tuesday, November 19, 2002 13:17
> To: snort-userslists.sourceforge.net
> Subject: RE: [Snort-users] spam
>
>
> Wow. Spam.
>
> > -----Original Message-----
> > From: Ted Stringer [mailto:TedSlancasterlawyers.com]
> > Sent: Tuesday, November 19, 2002 11:19 AM
> > To: snort-userslists.sourceforge.net
> > Subject: [Snort-users] spam
> >
> >
> > I was just wondering if anyone else was getting spam from AOL
> > mail servers with the from address the same as the to
> > address. This just started showing up in my bosses mail box.
> >
> > Ted Stringer
> > tedslancasterlawyers.com
> > Systems Administrator
> > Lancaster & Eure P.A.
--__--__--
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing
your web site with SSL, click here to get a FREE TRIAL of a Thawte
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]