[Dshield] Weird SMTP access

Ed Truitt ed.truitt at etee2k.net
Sun Nov 17 18:45:24 GMT 2002


To answer your last 2 questions:

1) If I am correct, the "500" strings in the log indicate an error.  If you
aren't running an HTTP proxy (ISA, Apache, or some other system) on the box,
you shouldn't have anything to worry about.

2) If you don't have the need (or desire) to accept connections from
Chinanet, then my all means block them.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Johan Strand" <Johan.Strand at frontend.se>
To: <list at dshield.org>
Sent: Sunday, November 17, 2002 2:51 AM
Subject: [Dshield] Weird SMTP access


> Hi!
>
> I got a strange access-attempt in my SMTP-log today. My guess is an
attempt to use it as a proxy. Is that correct? Does anyone know what to look
for to see if it was successful? The below is the only lines in the log (MS
Exchange).
>
> As usual this is from Chinanet... I'm seriously thinking of blocking them.
Am I overreacting?
>
> Best,
> Johan
>
>
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 34, 32, 500, 0, get, -, +http://www.yahoo.com/+HTTP/1.1,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 19, 32, 500, 0, host:, -, +www.yahoo.com,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 11, 32, 500, 0, accept:, -, +*/*,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 16, 32, 500, 0, pragma:, -, +no-cache,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 59, 32, 500, 0, user-agent:, -,
+Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+98),
> 218.7.157.195, -, 11/17/2002, 6:34:38, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 1578, 0, 0, 0, 1609, QUIT, -, -,
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list