> > It's a trade. If you drop the auth attempts silently, you usually then > > have to wait for the attempts to time out before whatever you did to > > prompt the auth attempt can proceed. If you send a RST or > > ICMP-unreachable, you don't have to wait for the time out. > > > > In this case, it's someone's mail server getting the auth connection > > attempt. Everyone knows where everybody else's mail servers are > > (receiving hubs have MX records, senders are in the mail > > headers). Sending RSTs on port 113 is just telling the world that you > > don't want their auth requests; you are not really giving anything > > away to an intruder. It almost would be nice if we could get a stateful module for iptables and other firewall systems that allows us to send rst or icmp-port-unreachable to sites we connect to for mail, etc...and drop for others. --brian ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 20:31:03 PST