[Dshield] Favor to ask the list.

Aaron Lewis aaron at adldatacomm.net
Wed Jun 29 16:39:46 GMT 2005

On many mail server the ident service is running and will appear as a port
scan if the traffic is not explicitly allowed. Maybe that's what you're
seeing ? I know I had to put my mail server in the DSheild ignore list and I
know that my mail server is a) not a honeypot and b) not compromised. I also
know that the cause of the false positive port scan was identd.

> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org]On Behalf Of Paul Marsh
> Sent: Wednesday, June 29, 2005 12:16 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Favor to ask the list.
> Sorry it took so long to get back to everyone on this.  I've been
> noticing the IP in question scanning a customers IP on all high order
> ports.  So I did an nmap -v -P0 for starters to see what was going on,
> everything came back as open?  The IP belongs to godaddy.com's secure
> mail server and yes the customer uses godaddy.  I called godaddy, they
> said because the customer is using Outlook you'll see these 
> scans as the
> client checks for email.  I then asked why the IP was coming 
> back as all
> ports open and the rep had no idea but would let the upper support
> people know.
> Can someone enlighten me as to why the mail server is 
> scanning?  Outlook
> makes the connection sends or receives email and then drops the
> connection.  Is it possible that they have some sort of honey 
> pot on the
> box also?  Enquiring minds want to know ;)
> Thanx, Paul
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list