Re: SMTP server (How can I find out the real source of an attack)

• Previous message: Bojan Zdrnja: "RE: strange qmail actions"
• In reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
• Next in thread: Pavel Kankovsky: "Re: SMTP server (How can I find out the real source of an attack)"
• Next in thread: Mike Batchelor: "RE: SMTP server (How can I find out the real source of an attack)"
• Reply: Pavel Kankovsky: "Re: SMTP server (How can I find out the real source of an attack)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 12 Jul 2001 15:53:36 PDT, MrG <p2mask2_xtiat_private>  said:
> 1.I have a SMTP server (behind my FW) who constantly
> (>7 times per second) is trying to establish a TCP=25

> I know that my SMTP server  has been compromise but

How do you *know* it's been compromised?

I've seen multiple systems that don't understand the meaning of "required
delay before retry" as per RFC1123 - systems that in their normally broken
state will retry over and over and over.  I can sympathize with your
7x/sec - I once got hit by something that retried 10x/sec for about 2 days
before I finally found the owner and chastised them....

-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

• application/pgp-signature attachment: stored

• Next message: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"
• Previous message: Bojan Zdrnja: "RE: strange qmail actions"
• In reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
• Next in thread: Pavel Kankovsky: "Re: SMTP server (How can I find out the real source of an attack)"
• Next in thread: Mike Batchelor: "RE: SMTP server (How can I find out the real source of an attack)"
• Reply: Pavel Kankovsky: "Re: SMTP server (How can I find out the real source of an attack)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 15:48:15 PDT