New mail scanner?

From: Jeff Kell (jeff-kellat_private)
Date: Fri Aug 08 2003 - 23:10:36 PDT

Next message: Roberts, Chris: "RE: port 445 probes continued"

Previous message: morning_wood: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Next in thread: Jeff Kell: "Re: New mail scanner?"
Reply: James C. Slora Jr.: "Re: New mail scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For the last couple of days we have been continually probed for SMTP 
services from several addresses, but the unique part of the scanning is 
that the source port is always zero.  e.g.,

> Aug  9 00:25:24.502 EDT: %SEC-6-IPACCESSLOGP: list ingress denied tcp 171.75.197.194(0) -> xxx.xxx.xxx.68(25), 1 packet
> Aug  9 00:32:27.606 EDT: %SEC-6-IPACCESSLOGP: list ingress denied tcp 67.64.156.215(0) -> xxx.xxx.xxx.121(25), 1 packet

(Actual sources)

Anyone else seeing this?  I don't have a honeypot to capture what they 
are looking for, but it doesn't look encouraging.

Jeff


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Roberts, Chris: "RE: port 445 probes continued"
Previous message: morning_wood: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Next in thread: Jeff Kell: "Re: New mail scanner?"
Reply: James C. Slora Jr.: "Re: New mail scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 11:04:18 PDT