[Dshield] Port scanner question

Aaron Lewis aaron at adldatacomm.net
Sat Mar 5 11:52:04 GMT 2005


Hello, I'm sure it is the Auth now that I think about that. Yes these are
reports I'm sending. Ok I added

line_exclude=mail.server.ip.addr

to my dshield.cnf file

Thanks
ADL
-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Johannes B. Ullrich
Sent: Friday, March 04, 2005 12:20 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Port scanner question


Aaron Lewis wrote:
> Hello.
> 	In my DShield daily report my mail server is showing up as a port
scanner.
> As a matter if fact it's on the top of the list. This is a known and
trusted
> box and I DO NOT want it showing up any ware as a bad or mischievous IP
> address. How do we fix this?

Are these reports you are sending in? One possible problem could be that
you mail server is performing 'auth' lookups for each e-mail it receives.

Theoretically, these looks are a good thing and there is nothing that
bad about them. However, only few systems these days support it, and
even if they do there is no reason for your system to trust them.

So my recommendations:
(1) if these are reports you send, just filter out that IP address.
(2) if your mail server attempts to connect to remote auth/ident
servers, turn that feature off (it will likely speed up mail delivery as
well).






More information about the list mailing list