[Dshield] Port scanner question

Aaron Lewis aaron at adldatacomm.net
Sat Mar 5 11:52:04 GMT 2005

Hello, I'm sure it is the Auth now that I think about that. Yes these are
reports I'm sending. Ok I added


to my dshield.cnf file

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Johannes B. Ullrich
Sent: Friday, March 04, 2005 12:20 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Port scanner question

Aaron Lewis wrote:
> Hello.
> 	In my DShield daily report my mail server is showing up as a port
> As a matter if fact it's on the top of the list. This is a known and
> box and I DO NOT want it showing up any ware as a bad or mischievous IP
> address. How do we fix this?

Are these reports you are sending in? One possible problem could be that
you mail server is performing 'auth' lookups for each e-mail it receives.

Theoretically, these looks are a good thing and there is nothing that
bad about them. However, only few systems these days support it, and
even if they do there is no reason for your system to trust them.

So my recommendations:
(1) if these are reports you send, just filter out that IP address.
(2) if your mail server attempts to connect to remote auth/ident
servers, turn that feature off (it will likely speed up mail delivery as

More information about the list mailing list