Re: strange SMTP traffic from Korea
From: sponge (yosponge_at_yahoo.com)
Date: 12/07/03
- Next message: Mike: "Re: PGP and self-extracting files"
- Previous message: sponge: "Re: Writing Keys to Registry"
- Maybe in reply to: Barry Margolin: "Re: strange SMTP traffic from Korea"
- Next in thread: sponge: "Re: strange SMTP traffic from Korea"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 7 Dec 2003 02:22:07 -0800
Damian Menscher <menscher+security@uiuc.edu> wrote in message news:<bpppao$t6v$1@news.ks.uiuc.edu>...
> I tried posting this to the incidents list a few weeks ago, but the
> moderator didn't find it worthy. Our local security people don't
> speak Korean, so they say there's nothing they can do. So, I'm
> asking for help here:
>
> Since Oct 13 we've been seeing some rather unusual traffic from
> various IPs in Korea (list below). It was leaving logs like the
> following:
>
> NOQUEUE: [203.236.96.179] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> Eventually I decided to see exactly what they were doing by running
> a packet sniffer, and found they're connecting, getting the banner,
> saying "HELO local", getting the "pleased to meet you...", and then
> saying QUIT. They do this about once every 3 seconds for several
> minutes, then they're silent for a while.
>
> It doesn't seem like it's a single misconfigured machine, because
> the traffic comes from several machines:
>
> # of
> attacks Source IP
> 1092 [203.236.93.102]
> 858 [203.236.93.111]
> 1748 [203.236.93.114]
> 3834 [203.236.93.15]
> 18 [203.236.93.16]
> 11624 [203.236.96.153]
> 2119 [203.236.96.164]
> 428 [203.236.96.169]
> 5077 [203.236.96.177]
> 1220 [203.236.96.179]
> 2940 [203.236.96.181]
> 1047 [203.236.96.230]
A lot of spam has been running off of KORNET. They have a (relatively)
decent track record at dealing with it. It's pretty much a must if you
run any kind of mail server, unless it is so secure you're willing to
bet a month's pay on it. And if you have any users that like to
execute attachments from emails, well, then even a bullet-proof mail
server isn't much help.
As much as I dislike it, I just filter all traffic from Asia, and
recommend that to my clients. Korea pops up as a real problem but they
do get a handle on it eventually; The same can't be said for Chinanet,
with, from my observations, about 80-85% of spam either being relayed
from there or being hosted there. If you need to be able to work with
any of those networks, then filtering the specific blocks you mention
is your next best option, and you'll just have to keep your eyes
peeled for the next time.
Or set up a honeypot...
Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com
61/8, 202/7, 210/7, 212/8, 217/8, 218/7, 220/7
- Next message: Mike: "Re: PGP and self-extracting files"
- Previous message: sponge: "Re: Writing Keys to Registry"
- Maybe in reply to: Barry Margolin: "Re: strange SMTP traffic from Korea"
- Next in thread: sponge: "Re: strange SMTP traffic from Korea"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
