> Original message: > From: Rich Puhek <rpuhekat_private> > To: incidentsat_private <incidentsat_private> > Date: Saturday, April 5, 2003, 7:22:23 AM > Subject: SMTP probes > Has anyone else noticed an upswing in port 25 probes over the last few days? > I'm seeing fairly large quantities of connections to port 25 (on the > order of one every several seconds) with no real SMTP transations > (logged by sendmail as "... did not issue MAIL/XPN/VRFY/ETRN during > connection to MTA") > Perhaps somethings probing for servers vulnerable to the recent sendmail > problems? > A quick look with ngrep seems to show that a typical connection doesn't > send any data, just connects to port 25 and goes away. Although I didn't see any more empty SMTP connections on my servers than usually, this indicates at least banner grabbing. On non changed installations most SMTP servers will paste their version and/or version of configuration file. I suggest removing this from the configuration file (it can be done easily with all popular SMTP servers). Also, if you use Sendmail, do remember to remove version from other places (ie. when executing HELP command, which will usually print Sendmail version - most administrators forget to remove this). Best regards, Bojan Zdrnja ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Sat Apr 05 2003 - 09:39:29 PST