Re: [Shorewall-users] SMTP Exploits?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thursday 22 August 2002 06:47 am, Magnus Stenman wrote:
> Probably spammers
>

I think this is something different. From "shorwall hits"

   HITS  PORT SERVICE(S)
   ---- ----- ----------
    844    25 smtp
     75    80 http
     33    21 ftp
     19  1080 socks
     16   111 sunrpc
     13   500 isakmp
     13   137 netbios-ns
      9  8080 webcache
      8   445 microsoft-ds
      8  3128 squid
      8    22 ssh
      6    81
      6   139 netbios-ssn
      4 50388
      3    53 domain
      2 54086
      2 43053
      2 32768
      1  1551

I don't log MS Sql Server hits.

=46rom my mail server log summary:

    Relay access denied
           2   222.333.444.555
           1   666.777.888.999

So I got 844 connection attempts against the 4 IP addresses that don't ha=
ve=20
SMTP servers yet I get only three relay attempts and no decernable increa=
se=20
in the amount of SPAM on the one address that does run an SMTP server.

Steve Cowles has suggested that they may be looking to expoit the buffer=20
overrun in the DNS resolver library that is described in CERT advisory=20
CA-2002-19.

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ te...@sh...