Re: SMTP probes

From: Neil Dickey (neil@geol.niu.edu)
Date: 04/05/03

  • Next message: Bojan Zdrnja: "Re: SMTP probes" 
    Date: Fri, 4 Apr 2003 23:09:04 -0600 (CST)
From: Neil Dickey <neil@geol.niu.edu>
To: incidents@securityfocus.com, rpuhek@etnsystems.com

    Rich Puhek <rpuhek@etnsystems.com> wrote asking:

    >Has anyone else noticed an upswing in port 25 probes over the last few days?

    They aren't very common hereabouts, but I am seeing a few. Six months
    ago there weren't any, and there hadn't been any literally for years.

    >I'm seeing fairly large quantities of connections to port 25 (on the
    >order of one every several seconds) with no real SMTP transations
    >(logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during
    >connection to MTA")

    That's what the old "null connection" error looks like in newer versions
    of Sendmail.

    >Perhaps somethings probing for servers vulnerable to the recent sendmail
    >problems?

    Or looking for an open relay. There are probably too many of them still
    out there.

    >A quick look with ngrep seems to show that a typical connection doesn't
    >send any data, just connects to port 25 and goes away.

    Yes. You can duplicate the log message by telnetting to port 25 on
    a machine running Sendmail, and then closing the connection without
    issuing any commands. This will show you what the scanner is getting
    out of that null connection -- the version of Sendmail you're running.

    Best regards,

    Neil Dickey, Ph.D.
    Research Associate/Sysop
    Geology Department
    Northern Illinois University
    DeKalb, Illinois
    60115

    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents

  • Next message: Bojan Zdrnja: "Re: SMTP probes"

    Relevant Pages

    • Re: Help Needed: My RHEL5 box suddenly stopped accepting e-mails
      ... Here is the output of the 'iptables status' ... try telnetting to port 25 from off-host again. ... If you get the sendmail herald, ... until you get a "Connection refused" response. ...
      (RedHat)
    • Re: Need help configuring smart_host relaying
      ... openmap() dequote:dequote NULL: valid ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ...
      (comp.mail.sendmail)
    • Re: Need help configuring smart_host relaying
      ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ... dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net ...
      (comp.mail.sendmail)
    • Re: Need help configuring smart_host relaying
      ... either the port specification is wrong in the authinfo file or that the ... connection is being refused because it's not SSL/TLS. ... or how to get the SSL/TLS mechanism into sendmail. ... dnl Cwstrider.rgmhome.net localhost rgmhome.homeunix.net ...
      (comp.mail.sendmail)
    • Re: What protocol does sendmail use when sending outbound mail to port 25?
      ... Sendmail makes a TCP connection to port ... to the home) for my default Internet connection, but they will not let me ...
      (comp.mail.sendmail)