Rich Puhek <rpuhekat_private> wrote asking: >Has anyone else noticed an upswing in port 25 probes over the last few days? They aren't very common hereabouts, but I am seeing a few. Six months ago there weren't any, and there hadn't been any literally for years. >I'm seeing fairly large quantities of connections to port 25 (on the >order of one every several seconds) with no real SMTP transations >(logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during >connection to MTA") That's what the old "null connection" error looks like in newer versions of Sendmail. >Perhaps somethings probing for servers vulnerable to the recent sendmail >problems? Or looking for an open relay. There are probably too many of them still out there. >A quick look with ngrep seems to show that a typical connection doesn't >send any data, just connects to port 25 and goes away. Yes. You can duplicate the log message by telnetting to port 25 on a machine running Sendmail, and then closing the connection without issuing any commands. This will show you what the scanner is getting out of that null connection -- the version of Sendmail you're running. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Sat Apr 05 2003 - 09:32:53 PST