[Snort-users] SMTP scans

Marcus Nelson jtmyfj at ...892...
Thu Nov 30 11:54:07 EST 2000

I've been getting hit with a lot of SMTP scans from  I have
about 306 hits form 21:28 on 11/28 to 08:39 11/30.

[**] SMTP Attempt [**]
11/28-21:28:52.921232> 24.xxx.xxx.25:25
TCP TTL:48 TOS:0x0 ID:33430 DF
******S* Seq: 0x39E16824 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 2896151777 0 NOP WS: 0

There is a web site called http://portscan.cablemodemhelp.com.  The page
claims that it only scans sites that have connected to the page.  The system
that is getting hit is ONLY an IDS box and does not even have a browser

The page also claims that you can be 'removed' from the scan list if you
email them.  Sounds fishy to me.....


Marc Nelson

More information about the Snort-users mailing list