[Snort-users] SMTP scans

Marcus Nelson jtmyfj at ...892...
Thu Nov 30 11:54:07 EST 2000


I've been getting hit with a lot of SMTP scans from 206.34.203.20.  I have
about 306 hits form 21:28 on 11/28 to 08:39 11/30.

[**] SMTP Attempt [**]
11/28-21:28:52.921232 206.34.203.20:3486-> 24.xxx.xxx.25:25
TCP TTL:48 TOS:0x0 ID:33430 DF
******S* Seq: 0x39E16824 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 2896151777 0 NOP WS: 0

There is a web site called http://portscan.cablemodemhelp.com.  The page
claims that it only scans sites that have connected to the page.  The system
that is getting hit is ONLY an IDS box and does not even have a browser
installed.

The page also claims that you can be 'removed' from the scan list if you
email them.  Sounds fishy to me.....

Thanks,

Marc Nelson




More information about the Snort-users mailing list