RE: [Full-Disclosure] TCP port 25 traffic?

From: Josh Karp (josh.karp_at_visionael.com)
Date: 08/17/03

  • Next message: Ron DuFresne: "[Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster] (fwd)" 
    To: full-disclosure@lists.netsys.com
Date: Sun, 17 Aug 2003 08:48:39 -0700

    Alright, sorry for the lack of info in my original post.
     
    I'm not running a mail server anywhere on my network. I don't have TCP 25
    open to anywhere.
     
    What I'm seeing lately is a huge increase in SMTP probes and I'm wondering
    if there's something new out in the wild for SMTP.
     
    Thanks again... josh
     
    -----Original Message-----
    From: Joel R. Helgeson [mailto:joel@helgeson.com]
    Sent: Saturday, August 16, 2003 10:15 PM
    To: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] TCP port 25 traffic?
     
    Yeah, I think its called SPAM, not new though....
    Try connecting to your server via telnet on port 25 and see if you can get
    an interactive connection.
     
    type in the following commands:
    expn
    vrfy
     
    and see if they are accepted. If so, your server is open to possible
    attack.
     
    telnet://192.168.0.1:25 <telnet://192.168.0.1:25> will open a telnet
    session to your server on port 25
     
    Joel R. Helgeson
    Director of Networking & Security Services
    SymetriQ Corporation
     
    "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll
    be warm for the rest of his life."
    ----- Original Message -----
    From: Josh Karp <mailto:josh.karp@visionael.com>
    To: 'full-disclosure@lists.netsys.com'
    <mailto:'full-disclosure@lists.netsys.com'>
    Sent: Saturday, August 16, 2003 5:45 PM
    Subject: [Full-Disclosure] TCP port 25 traffic?
     
    I've seen an unusual amount of connection attempts to TCP port 25 on a
    particular system in my network as of the past 48 hours or so. It's only
    this one system, and it's multiple source IP's. Is there anything new for
    SMTP?
    Thanks for any info... josh

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Ron DuFresne: "[Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster] (fwd)"

    Relevant Pages

    • Re: SCO 5.0.7 MP5 network hung up
      ... instead of the server I was reloading. ... The system was still inaccessible via the network. ... It is probably the case, with some minor exceptions, that whatever `tcp ... is still seeing the streams memory leakage with its NIC on IRQ11. ...
      (comp.unix.sco.misc)
    • Re: DCOM event ID 10009 errors
      ... The error that you mentioned in the "Symptoms" section is frequently a network communications error. ... TCP port collisions are occurring. ... The activation page for a COM+ proxy application contains a Remote Server Name property. ... For more information about how to determine TCP port usage when you troubleshoot TCP/IP connectivity issues, click the following article numbers to view the articles in the ...
      (microsoft.public.windows.server.sbs)
    • ISA 2004 Publishing Rules
      ... ISA2004 isolates several secure domain servers from the rest of our network. ... We use two ports for our application: TCP 1240 and TCP 1188. ... I created two server publishing rules, ... traffic, denied connection, default rule, source net external, dest net ...
      (microsoft.public.isa.publishing)
    • Re: [fw-wiz] Blocking Google Talk
      ... network traffic based on network service and content. ... Google Talk uses transport layer security for login (TCP 443) and XMPP ... for XML Jabber communication (TCP port 5222) prior to clients talking ...
      (Firewall-Wizards)
    • Re: Strange network issue in freebsd 8
      ... I have configured NFS clients to use TCP. ... Right now, server is working ... The servers loses network connection once in a few days. ... Jan 23 02:29:58 myserver reboot: rebooted by root ...
      (freebsd-hackers)