[Dshield] DNS traffic?

George Theall theall at tifaware.com
Tue Aug 26 17:12:01 GMT 2003


On Tue, Aug 26, 2003 at 08:20:11AM -0700, Wilfred A. Smith wrote:

> Am I the only one seeing tons of hits on port 135 from remote port 666,
> followed by a hit to 1026?

I suspect these are related to Windows Messenger popups.  As ISPs have
begun blocking port 135, popup spam is increasingly targetting UDP port
1026.  See <http://www.lurhq.com/popup_spam.html>. 

The lion's share of the activity I see is from 64.156.39.12,
dialup-64.156.39.12.Dial1.Denver1.Level3.net.  This particular host
started hitting me in late July and has been continuing to do so several
times per day for each host I monitor. Now I tarpit it.

George
-- 
theall at tifaware.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20030826/2914568e/attachment.bin


More information about the list mailing list