[Dshield] Odd Behavior?
Johannes B. Ullrich
jullrich at sans.org
Mon May 13 15:03:07 GMT 2002
This is odd. The site appears to run sendmail. And I have never seen
sendmail act like this.
Some web proxy servers used to send a ping before sending the request
(to check if the site is up before bothering with a request). However, I
don't think any proxies do this anymore due to people usually filtering
On Mon, 2002-05-13 at 10:12, Linda Jenkins wrote:
> Below is a snip from my Watchguard Firebox log. I have it set up to deny pings and auto block those sites. When one particular mail sever attempts to send mail to me it gets blocked because it also attempts to ping me. Has anyone seen this type of behavior or know why their mail server might be doing this.
> allow in eth0 44 tcp 20 45 184.108.40.206 208.XXX.XXX.XXX 53420 25 syn (SMTP)
> deny in eth0 1500 icmp 20 240 220.127.116.11 208.XXX.XXX.XXX 8 0 (Ping)
> deny in eth0 40 tcp 20 45 18.104.22.168 208.XXX.XXX.XXX 53420 25 ack (blocked site)
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list