[Dshield] unusual port 25 traffic

KrogNetix abuse at allover.ca
Thu Jan 26 21:47:54 GMT 2006


It seems strange that the burst (apparently) came from a domestic ADSL IP.
We have been seeing spammers are connecting via TCP 25 in bunches of 20-100
to try and confuse the anti-spam or "greylistng" system and allow for
successful delivery. Maybe this is a similar (only much larger) event like
that?

------------------
M. McBride
Security Admin
DigitalNation
Vancouver CA
888-320-TECH


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jean-Pierre Schwickerath
Sent: Thursday, January 26, 2006 10:41 AM
To: list at lists.dshield.org
Subject: [ABUSE] Re: [Dshield] unusual port 25 traffic




> 
> We have scanned the boxes with AV, scanned with Nessus, we can seem to 
> find them compromised.
> 
> Sniffer has been set up and we are waiting for another burst.  We 
> cannot find a pattern to the traffic.  We can go a couple of 
> days/hours/minutes before another burst.

can you dump the traffic's payload to see whether it's really smtp or
something else?



Jean-Pierre


-- 
HILOTEC Engineering + Consulting GmbH
Energietechnik und Datensysteme
Tel: +41 34 402 74 00 - http://www.hilotec.com/
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list