Snort mailing list archives
RE: is this an attack?
From: "John Berkers" <berjo () ozemail com au>
Date: Mon, 28 Jan 2002 22:24:09 +1100
This looks to me (from the content) like a system scanning for open SMTP relays. Open SMTP relays are what allows a lot of the spam we receive in our mailboxes to be sent anonymously. My guess is that Remington Ltd is actively scanning the Internet for open relays. If you have no open relays then you have nothing to worry about. Regards, John Berkers berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ronneil Camara Sent: Monday, 28 January 2002 18:42 To: snort-users () lists sourceforge net Subject: [Snort-users] is this an attack? Hi dudes, I am receiving a lot of smtp connection atttempts from our checkpoint firewall-1. Is it an attack? Looks like a SYN scan to me coz I never see any HELO transaction in the /var/log/maillog. 01:24:49.777645 cpfw.20771 > antispam.remingtonltd.com.smtp: S 1715098950:1715098950(0) win 5840 <mss 1460,nop,nop,sackOK> (DF) 0000: 4500 0030 9fc1 4000 7f06 ee00 41c0 7541 E..0.Á@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 5546 0000 0000 AÀuDQ#..f:UF.... 0020: 7002 16d0 f18c 0000 0204 05b4 0101 0402 p..Ðñ......´.... 01:24:49.777760 antispam.remingtonltd.com.smtp > cpfw.20771: S 2880971570:2880971570(0) ack 1715098951 win 17520 <mss 1460,nop,nop,sackOK> (DF) 0000: 4500 0030 59f4 4000 4006 72ce 41c0 7544 E..0Yô@.@.rÎAÀuD 0010: 41c0 7541 0019 5123 abb8 2332 663a 5547 AÀuA..Q#«¸#2f:UG 0020: 7012 4470 f4f0 0000 0204 05b4 0101 0402 p.Dpôð.....´.... 01:24:49.778486 cpfw.20771 > antispam.remingtonltd.com.smtp: . ack 1 win 5840 (DF) 0000: 4500 0028 9fc2 4000 7f06 ee07 41c0 7541 E..(.Â@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 5547 abb8 2333 AÀuDQ#..f:UG«¸#3 0020: 5010 16d0 4f55 0000 0000 0000 0000 P..ÐOU........ 01:24:49.781016 antispam.remingtonltd.com.smtp > cpfw.20771: P 1:107(106) ack 1 win 17520 (DF) 0000: 4500 0092 21f2 4000 4006 aa6e 41c0 7544 E...!ò@.@.ªnAÀuD 0010: 41c0 7541 0019 5123 abb8 2333 663a 5547 AÀuA..Q#«¸#3f:UG 0020: 5018 4470 960f 0000 3232 3020 616e 7469 P.Dp....220 anti 0030: 7370 616d 2e72 656d 696e 6774 6f6e 6c74 spam.remingtonlt 0040: 642e 636f 6d20 4553 4d54 5020 5365 7276 d.com ESMTP Serv 0050: 6572 er 01:24:49.781930 cpfw.20771 > antispam.remingtonltd.com.smtp: P 1:7(6) ack 107 win 5734 (DF) 0000: 4500 002e 9fc3 4000 7f06 ee00 41c0 7541 E....Ã@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 5547 abb8 239d AÀuDQ#..f:UG«¸#. 0020: 5018 1666 a793 0000 5155 4954 0d0a P..f§...QUIT.. 01:24:49.781990 antispam.remingtonltd.com.smtp > cpfw.20771: . ack 7 win 17514 (DF) 0000: 4500 0028 5ad7 4000 4006 71f3 41c0 7544 E..(Z×@.@.qóAÀuD 0010: 41c0 7541 0019 5123 abb8 239d 663a 554d AÀuA..Q#«¸#.f:UM 0020: 5010 446a 214b 0000 P.Dj!K.. 01:24:49.782264 antispam.remingtonltd.com.smtp > cpfw.20771: P 107:116(9) ack 7 win 17520 (DF) 0000: 4500 0031 799a 4000 4006 5327 41c0 7544 E..1y.@.@.S'AÀuD 0010: 41c0 7541 0019 5123 abb8 239d 663a 554d AÀuA..Q#«¸#.f:UM 0020: 5018 4470 0c5b 0000 3232 3120 4279 650d P.Dp.[..221 Bye. 0030: 0a . 01:24:49.782313 antispam.remingtonltd.com.smtp > cpfw.20771: F 116:116(0) ack 7 win 17520 (DF) 0000: 4500 0028 2ffa 4000 4006 9cd0 41c0 7544 E..(/ú@.@..ÐAÀuD 0010: 41c0 7541 0019 5123 abb8 23a6 663a 554d AÀuA..Q#«¸#¦f:UM 0020: 5011 4470 213b 0000 P.Dp!;.. 01:24:49.783043 cpfw.20771 > antispam.remingtonltd.com.smtp: . ack 117 win 5725 (DF) 0000: 4500 0028 9fc4 4000 7f06 ee05 41c0 7541 E..(.Ä@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 554d abb8 23a7 AÀuDQ#..f:UM«¸#§ 0020: 5010 165d 4f4e 0000 0000 0000 0000 P..]ON........ 01:24:49.878137 cpfw.20771 > antispam.remingtonltd.com.smtp: F 7:7(0) ack 117 win 5725 (DF) 0000: 4500 0028 9ffb 4000 7f06 edce 41c0 7541 E..(.û@...íÎAÀuA 0010: 41c0 7544 5123 0019 663a 554d abb8 23a7 AÀuDQ#..f:UM«¸#§ 0020: 5011 165d 4f4d 0000 0000 0000 0000 P..]OM........ 01:24:49.878197 antispam.remingtonltd.com.smtp > cpfw.20771: . ack 8 win 17520 (DF) 0000: 4500 0028 66c1 4000 4006 6609 41c0 7544 E..(fÁ@.@.f.AÀuD 0010: 41c0 7541 0019 5123 abb8 23a7 663a 554e AÀuA..Q#«¸#§f:UN 0020: 5010 4470 213a 0000 P.Dp!:.. 01:24:49.878794 cpfw.20771 > antispam.remingtonltd.com.smtp: R 1715098958:1715098958(0) win 0 0000: 4500 0028 9ffd 0000 7f06 2dcd 41c0 7541 E..(.ý....-ÍAÀuA 0010: 41c0 7544 5123 0019 663a 554e 663a 554e AÀuDQ#..f:UNf:UN 0020: 5004 0000 798d 0000 0000 0000 0000 P...y......... Please explain. Thanks. neil camara (ronneilc () remingtonltd com) - cc{na|sa}, mcse - pgp 0x777777B2 network/security engineer - dl := +1(847)2.21.0.224 cn := +1(847)9.80.17.53 echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \ awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}' ------------------------------------------------------------------------ -- ---o0 Statement of Confidentiality 0o--- The contents of this message and its attachments and subsequent additions are strictly confidential and proprietary and intended solely for the addressee(s) hereof. If you are not the named addressee, or this message has been addressed to you in error, you are directed not to read, disclose, reproduce, distribute, disseminate or otherwise use thistransmission. Delivery of this message to any other person other than the intended recipient(s) is not intended in any way to waive privilege or confidentiality. If you have received this transmis- sion in error, please alert the sender by reply e-mail; we also request that you immediately delete this message and its attachments, if any. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- is this an attack? Ronneil Camara (Jan 27)
- RE: is this an attack? John Berkers (Jan 28)
- <Possible follow-ups>
- RE: is this an attack? Ronneil Camara (Jan 28)
- RE: is this an attack? Blake Frantz (Jan 28)