Re: SMTP Attacks?

From: Barry Dorrans (barryd_at_IDUNNO.ORG)
Date: 04/12/05

  • Next message: Russ: "Administrivia: Sorry about the delayed mails" 
    Date:         Tue, 12 Apr 2005 15:00:51 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    > Has anyone seen this showing up in there SMTP server logs?
    >

    > Apr 2005 04:55:55 -0500
    > Fri 2005-04-01 04:55:55: <-- POST / HTTP/1.0
    > Fri 2005-04-01 04:55:55: --> 500 What? I don't understand that.
    > Fri 2005-04-01 04:55:55: <-- Host: combine.com:25
    > Fri 2005-04-01 04:55:55: --> 500 What? I don't understand that.
    > Fri 2005-04-01 04:55:55: <-- Content-Length: 3384
    > Fri 2005-04-01 04:55:55: --> 500 What? I don't understand that.
    > Fri 2005-04-01 04:55:55: <-- Content-Type: text/plain
    > Fri 2005-04-01 04:55:55: Too many errors encountered
    > Fri 2005-04-01 04:55:55: SMTP session terminated (Bytes in/out:
    > 3473/178)

    That's not an "attack", but a scan for an open http proxy running on your
    SMTP port.

    You could try contacting abuse@ the ISPs owning the IP scanning or just
    put it down to the typical background noise on the internet these days and
    quite happily ignore it. I run the same mail server as you do, and over
    the last 2.5 years I've not had any adverse effects from a proxy scanner
    hitting it. 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Russ: "Administrivia: Sorry about the delayed mails"