[Snort-users] SMTP scans
jtmyfj at ...892...
Thu Nov 30 11:54:07 EST 2000
I've been getting hit with a lot of SMTP scans from 126.96.36.199. I have
about 306 hits form 21:28 on 11/28 to 08:39 11/30.
[**] SMTP Attempt [**]
11/28-21:28:52.921232 188.8.131.52:3486-> 24.xxx.xxx.25:25
TCP TTL:48 TOS:0x0 ID:33430 DF
******S* Seq: 0x39E16824 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 2896151777 0 NOP WS: 0
There is a web site called http://portscan.cablemodemhelp.com. The page
claims that it only scans sites that have connected to the page. The system
that is getting hit is ONLY an IDS box and does not even have a browser
The page also claims that you can be 'removed' from the scan list if you
email them. Sounds fishy to me.....
More information about the Snort-users