[Dshield] smail attack

Paul Marsh pmarsh at nmefdn.org
Tue Oct 23 13:57:53 GMT 2001


It does look like someone is trying to relay through your server, are the
messages going out or are they stuck in queue?   Try filtering out
@mobilecom.jo



-----Original Message-----
From: SAMEER SALEH [mailto:SAMEER.SALEH at mobilecom.jo]
Sent: Tuesday, October 23, 2001 3:38 AM
To: 'dshield at dshield.org'
Subject: [Dshield] smail attack



My Cisco IDS is reporting the following Context buffer (sample only )

Context Buffer 1:

EHLO MAIL.mobilecom.com.jo

HELO MAIL.mobilecom.com.jo

MAIL FROM:<BSHARA.DABABNEH at mobilecom.jo>

RCPT TO:<bounce

Context Buffer 2:

220 tigger.emailhello.com ESMTP Postfix

502   

250 tigger.emailhello.com

250 Ok

Context Buffer 1:

EHLO MAIL.mobilecom.com.jo

HELO MAIL.mobilecom.com.jo

MAIL FROM:<>

RCPT TO:<81524 at bounce

Context Buffer 2:

220 zoobmail003.zoomail003 (PowerMTA v1.0rel) ESMTP service ready

502         

250 zoobmail003.zoomail003 says hello

250 2.1.0 ok

The CSPM event viewer is reporting smail attack .The source IP is my mail
server  the destination are different IP’s . my mail server is not unix
sendmail , could  someone explain this , is my server is used to attack
others servers . my server is configured no to relay SMTP mail.

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list