Security Incidents mailing list archives
Re: VRFY 000.000@my.domain
From: ben () ION AS UTEXAS EDU (Ben Laws)
Date: Tue, 23 May 2000 14:02:35 -0500
As for who they are...
telnet rwhois.exodus.net 4321
Trying 206.79.240.13... Connected to ns3.exodus.net. Escape character is '^]'. %rwhois V-1.5:003fff:00 rwhois.exodus.net (by Network Solutions, Inc. V-1.5.3) 216.35.49.170 network:Auth-Area:216.35.0.0/16 network:Class-Name:network network:Network-Name:216.35.49.128 network:IP-Network:216.35.49.128/25 network:Organization;I:Chris Manteria network:Address-1;I:162 Milbar Blvd. network:Address-2;I:Farmingdale , NY 11735 network:Created:99-SEP-17 network:Updated-By:raj network:Auth-Area:216.35.0.0/16 network:Class-Name:network network:Network-Name:216.35.49.0 network:IP-Network:216.35.49.0/24 network:Organization;I:Exodus Communications Inc. network:Address-1;I:2650 San Tomas Expressway network:Address-2;I:Santa Clara, CA 95051 network:Created:99-SEP-17 network:Updated-By:raj %ok Connection closed by foreign host. Guess there's always snail mail! ;-) Ben Lisa Saarloos wrote:
Hello, Got the same messages in the logs here, seems to be something automated... Although it's being rejected, I still want to know what it is and where it's coming from... Apr 25 18:34:15 ourhost sendmail[1741]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 000.000 () domain1 nl [rejected] Apr 26 05:18:19 ourhost sendmail[6412]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 000.000 () domain2 nl [rejected] May 3 17:01:40 ourhost sendmail[20558]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 00000096 () domain1 nl [rejected] May 4 02:25:08 ourhost sendmail[26770]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 00000096 () domain2 nl [rejected] May 12 05:53:12 ourhost sendmail[9647]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 00000219 () domain1 nl [rejected] May 12 16:02:02 ourhost sendmail[28276]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 00000219 () domain2 nl [rejected] May 19 22:05:52 ourhost sendmail[5763]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 0000041802 () domain1 nl [rejected] May 20 06:24:15 ourhost sendmail[8580]: NOQUEUE: IDENT:root@[216.35.49.170]: VRFY 0000041802 () domain2 nl[rejected] jamie | -----Original Message----- | From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On | Behalf Of Mark Tinberg | Sent: maandag 22 mei 2000 16:52 | To: INCIDENTS () SECURITYFOCUS COM | Subject: Re: VRFY 000.000@my.domain | | | I saw something like this awhile ago, from some server in an | Exodus facility. Possibly some network analyzer? | | Here is the snippet from my old logs. | | May 1 04:10:53 mail sendmail[17672]: NOQUEUE: [216.35.49.170]: | VRFY 00000096@ma | dison.tec.wi.us [rejected] | Apr 27 09:26:12 mail sendmail[7261]: NOQUEUE: [216.35.49.170]: | VRFY 0000005580@m | adison.tec.wi.us [rejected] | Apr 18 20:20:39 mail sendmail[6359]: NOQUEUE: [216.35.49.170]: | VRFY 0-pony-0@mad | ison.tec.wi.us [rejected] | Apr 22 22:57:33 mail sendmail[32653]: NOQUEUE: [216.35.49.170]: | VRFY 000.000@mad | ison.tec.wi.us [rejected] | | >>> Eduardo Escalante 05/22/00 03:40 AM >>> | I recently got a few times some odd security alerts: | | VRFY 000.000@my.domain | VRFY 00000096@my.domain | VRFY 000001@my.domain | VRFY 00000219@my.domain | VRFY 0000028252@my.domain | | Different days from the same IP. I doubt they were looking | for valid users and half suspect some sort of weird Internet | tool ( ala 3DNS). Maybe it is checking for a trojan? | | Similar logs or info about it (or guesses ;) appreciated. |
-- "Open source software -- with no walls or fences, who needs Windows and Gates?" Sign the Linux Driver Petition http://www.libranet.com/petition.html
Current thread:
- VRFY 000.000@my.domain Eduardo Escalante (May 19)
- <Possible follow-ups>
- Re: VRFY 000.000@my.domain Mark Tinberg (May 22)
- Re: VRFY 000.000@my.domain Lisa Saarloos (May 23)
- Re: VRFY 000.000@my.domain Ben Laws (May 23)