Re: VRFY 000.000@my.domain

[ben () ION AS UTEXAS EDU (Ben Laws)]

As for who they are...

> telnet rwhois.exodus.net 4321
Trying 206.79.240.13...
Connected to ns3.exodus.net.
Escape character is '^]'.
%rwhois V-1.5:003fff:00 rwhois.exodus.net (by
Network Solutions, Inc. V-1.5.3)
216.35.49.170
network:Auth-Area:216.35.0.0/16
network:Class-Name:network
network:Network-Name:216.35.49.128
network:IP-Network:216.35.49.128/25
network:Organization;I:Chris Manteria
network:Address-1;I:162 Milbar Blvd.
network:Address-2;I:Farmingdale , NY 11735
network:Created:99-SEP-17
network:Updated-By:raj

network:Auth-Area:216.35.0.0/16
network:Class-Name:network
network:Network-Name:216.35.49.0
network:IP-Network:216.35.49.0/24
network:Organization;I:Exodus Communications Inc.
network:Address-1;I:2650 San Tomas Expressway
network:Address-2;I:Santa Clara, CA 95051
network:Created:99-SEP-17
network:Updated-By:raj

%ok
Connection closed by foreign host.

Guess there's always snail mail! ;-)

Ben

Lisa Saarloos wrote:
> Hello,
>
> Got the same messages in the logs here, seems to be something
> automated... Although it's being rejected, I still want to know what it
> is and where  it's coming from...
>
> Apr 25 18:34:15 ourhost sendmail[1741]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 000.000 () domain1 nl [rejected]
> Apr 26 05:18:19 ourhost sendmail[6412]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 000.000 () domain2 nl [rejected]
> May  3 17:01:40 ourhost sendmail[20558]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 00000096 () domain1 nl [rejected]
> May  4 02:25:08 ourhost sendmail[26770]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 00000096 () domain2 nl [rejected]
> May 12 05:53:12 ourhost sendmail[9647]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 00000219 () domain1 nl [rejected]
> May 12 16:02:02 ourhost sendmail[28276]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 00000219 () domain2 nl [rejected]
> May 19 22:05:52 ourhost sendmail[5763]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 0000041802 () domain1 nl [rejected]
> May 20 06:24:15 ourhost sendmail[8580]: NOQUEUE:
> IDENT:root@[216.35.49.170]: VRFY 0000041802 () domain2 nl[rejected]
>
> jamie
>
> | -----Original Message-----
> | From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> | Behalf Of Mark Tinberg
> | Sent: maandag 22 mei 2000 16:52
> | To: INCIDENTS () SECURITYFOCUS COM
> | Subject: Re: VRFY 000.000@my.domain
> |
> |
> | I saw something like this awhile ago, from some server in an
> | Exodus facility.  Possibly some network analyzer?
> |
> | Here is the snippet from my old logs.
> |
> | May  1 04:10:53 mail sendmail[17672]: NOQUEUE: [216.35.49.170]:
> | VRFY 00000096@ma
> | dison.tec.wi.us [rejected]
> | Apr 27 09:26:12 mail sendmail[7261]: NOQUEUE: [216.35.49.170]:
> | VRFY 0000005580@m
> | adison.tec.wi.us [rejected]
> | Apr 18 20:20:39 mail sendmail[6359]: NOQUEUE: [216.35.49.170]:
> | VRFY 0-pony-0@mad
> | ison.tec.wi.us [rejected]
> | Apr 22 22:57:33 mail sendmail[32653]: NOQUEUE: [216.35.49.170]:
> | VRFY 000.000@mad
> | ison.tec.wi.us [rejected]
> |
> | >>> Eduardo Escalante  05/22/00 03:40 AM >>>
> | I recently got a few times some odd security alerts:
> |
> |    VRFY 000.000@my.domain
> |    VRFY 00000096@my.domain
> |    VRFY 000001@my.domain
> |    VRFY 00000219@my.domain
> |    VRFY 0000028252@my.domain
> |
> | Different days from the same IP. I doubt they were looking
> | for valid users and half suspect some sort of weird Internet
> | tool ( ala 3DNS). Maybe it is checking for a trojan?
> |
> | Similar logs or info about it (or guesses ;) appreciated.
> |

--
"Open source software -- with no walls or fences,
who needs Windows and Gates?"

Sign the Linux Driver Petition
http://www.libranet.com/petition.html