Patrick Oonk wrote: > > Hi, > > I get lots of probes for emailadresses at some of my mailservers. > It seems people are probing the MX-es of domains they get from > the registries, and then try a list of accounts, to see if they exist, > so they can be spammed in the future. I probed some of the (now blocked) > offfending hosts, and a lot of them run open proxies, so I suspect they > are being used as an intermediate. It seems the probes are coordinated > in some way, as if I block one offender, a few moments later the probes > appear from another host. Haven't seen this first-hand, but some well-known spam sources have been scanning our subnets for relays/proxies, and the scanning is targeted to our address spaces (widely spaced apart). Block one, and another(s) reappear shortly thereafter. They will probe ports 25, 80, 1080, 3128, 8000, and 8080 of each address. And it has been constant for weeks now. The scans are relatively slow, and somewhat randomized (at least non-sequential), but persistent. The worst offender is 138.121.23/24, a newer source is 200.30.203.160. Others come and go, but the first one has been at it since before Christmas. Jeff ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 06:54:18 PST