[Dshield] Port scanner question
aaron at adldatacomm.net
Sat Mar 5 11:52:04 GMT 2005
Hello, I'm sure it is the Auth now that I think about that. Yes these are
reports I'm sending. Ok I added
to my dshield.cnf file
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Johannes B. Ullrich
Sent: Friday, March 04, 2005 12:20 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Port scanner question
Aaron Lewis wrote:
> In my DShield daily report my mail server is showing up as a port
> As a matter if fact it's on the top of the list. This is a known and
> box and I DO NOT want it showing up any ware as a bad or mischievous IP
> address. How do we fix this?
Are these reports you are sending in? One possible problem could be that
you mail server is performing 'auth' lookups for each e-mail it receives.
Theoretically, these looks are a good thing and there is nothing that
bad about them. However, only few systems these days support it, and
even if they do there is no reason for your system to trust them.
So my recommendations:
(1) if these are reports you send, just filter out that IP address.
(2) if your mail server attempts to connect to remote auth/ident
servers, turn that feature off (it will likely speed up mail delivery as
More information about the list