[Dshield] Port scanner question
Johannes B. Ullrich
jullrich at euclidian.com
Fri Mar 4 17:20:17 GMT 2005
Aaron Lewis wrote:
> In my DShield daily report my mail server is showing up as a port scanner.
> As a matter if fact it's on the top of the list. This is a known and trusted
> box and I DO NOT want it showing up any ware as a bad or mischievous IP
> address. How do we fix this?
Are these reports you are sending in? One possible problem could be that
you mail server is performing 'auth' lookups for each e-mail it receives.
Theoretically, these looks are a good thing and there is nothing that
bad about them. However, only few systems these days support it, and
even if they do there is no reason for your system to trust them.
So my recommendations:
(1) if these are reports you send, just filter out that IP address.
(2) if your mail server attempts to connect to remote auth/ident
servers, turn that feature off (it will likely speed up mail delivery as
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050304/6f0b9fca/signature.bin
More information about the list