[Dshield] smail attack

Johannes B. Ullrich jullrich at euclidian.com
Tue Oct 23 12:50:37 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I don't have much experience with the Cisco output. But this kind of looks
like a probe for an open relay (empty 'from' and half open 'rcpt to'.

>
> EHLO MAIL.mobilecom.com.jo
> MAIL FROM:<BSHARA.DABABNEH at mobilecom.jo>
> RCPT TO:<bounce
> Context Buffer 2:
> 220 tigger.emailhello.com ESMTP Postfix
> 502
> 250 tigger.emailhello.com
> 250 Ok
> Context Buffer 1:
> EHLO MAIL.mobilecom.com.jo
> HELO MAIL.mobilecom.com.jo
> MAIL FROM:<>
> RCPT TO:<81524 at bounce
> Context Buffer 2:
> 220 zoobmail003.zoomail003 (PowerMTA v1.0rel) ESMTP service ready
> 502
>
> 250 zoobmail003.zoomail003 says hello
>
> 250 2.1.0 ok
>
> The CSPM event viewer is reporting smail attack .The source IP is my mail
> server  the destination are different IP’s . my mail server is not unix
> sendmail , could  someone explain this , is my server is used to attack
> others servers . my server is configured no to relay SMTP mail.
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
>

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE71WefVOIizK5pIDMRAiXgAKD+9PblNPN1Id5oVIngjqLnD0h1hwCbBszT
CKjoCSJ6M/rlUHyj4I9z6Xg=
=hH6q
-----END PGP SIGNATURE-----




More information about the list mailing list