[Dshield] Port scanner question

Johannes B. Ullrich jullrich at euclidian.com
Fri Mar 4 17:20:17 GMT 2005


Aaron Lewis wrote:
> Hello.
> 	In my DShield daily report my mail server is showing up as a port scanner.
> As a matter if fact it's on the top of the list. This is a known and trusted
> box and I DO NOT want it showing up any ware as a bad or mischievous IP
> address. How do we fix this?

Are these reports you are sending in? One possible problem could be that 
you mail server is performing 'auth' lookups for each e-mail it receives.

Theoretically, these looks are a good thing and there is nothing that 
bad about them. However, only few systems these days support it, and 
even if they do there is no reason for your system to trust them.

So my recommendations:
(1) if these are reports you send, just filter out that IP address.
(2) if your mail server attempts to connect to remote auth/ident 
servers, turn that feature off (it will likely speed up mail delivery as 
well).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050304/6f0b9fca/signature.bin


More information about the list mailing list