[Snort-users] is this an attack?

John Berkers berjo at ...827...
Mon Jan 28 03:25:05 EST 2002


This looks to me (from the content) like a system scanning for open SMTP
relays.

Open SMTP relays are what allows a lot of the spam we receive in our
mailboxes to be sent anonymously.  My guess is that Remington Ltd is
actively scanning the Internet for open relays.

If you have no open relays then you have nothing to worry about.

Regards,

John Berkers
berjo at ...827...



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ronneil
Camara
Sent: Monday, 28 January 2002 18:42
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] is this an attack?


Hi dudes,

I am receiving a lot of smtp connection atttempts from our checkpoint
firewall-1. Is it an attack? Looks like a SYN scan to me coz I never see
any HELO transaction in the /var/log/maillog.

01:24:49.777645 cpfw.20771 > antispam.remingtonltd.com.smtp: S
1715098950:1715098950(0) win 5840 <mss 1460,nop,nop,sackOK> (DF)
  0000: 4500 0030 9fc1 4000 7f06 ee00 41c0 7541  E..0.Á@...4701...
  0010: 41c0 7544 5123 0019 663a 5546 0000 0000  AÀuDQ#..f:UF....
  0020: 7002 16d0 f18c 0000 0204 05b4 0101 0402  p..Ðñ......´....

01:24:49.777760 antispam.remingtonltd.com.smtp > cpfw.20771: S
2880971570:2880971570(0) ack 1715098951 win 17520 <mss
1460,nop,nop,sackOK> (DF)
  0000: 4500 0030 59f4 4000 4006 72ce 41c0 7544  E..0Yô@...843... at .rÎAÀuD
  0010: 41c0 7541 0019 5123 abb8 2332 663a 5547  AÀuA..Q#«¸#2f:UG
  0020: 7012 4470 f4f0 0000 0204 05b4 0101 0402  p.Dpôð.....´....

01:24:49.778486 cpfw.20771 > antispam.remingtonltd.com.smtp: . ack 1 win
5840 (DF)
  0000: 4500 0028 9fc2 4000 7f06 ee07 41c0 7541  E..(.Â@...4701...
  0010: 41c0 7544 5123 0019 663a 5547 abb8 2333  AÀuDQ#..f:UG«¸#3
  0020: 5010 16d0 4f55 0000 0000 0000 0000       P..ÐOU........

01:24:49.781016 antispam.remingtonltd.com.smtp > cpfw.20771: P
1:107(106) ack 1 win 17520 (DF)
  0000: 4500 0092 21f2 4000 4006 aa6e 41c0 7544  E...!ò@...843... at .ªnAÀuD
  0010: 41c0 7541 0019 5123 abb8 2333 663a 5547  AÀuA..Q#«¸#3f:UG
  0020: 5018 4470 960f 0000 3232 3020 616e 7469  P.Dp....220 anti
  0030: 7370 616d 2e72 656d 696e 6774 6f6e 6c74  spam.remingtonlt
  0040: 642e 636f 6d20 4553 4d54 5020 5365 7276  d.com ESMTP Serv
  0050: 6572                                     er

01:24:49.781930 cpfw.20771 > antispam.remingtonltd.com.smtp: P 1:7(6)
ack 107 win 5734 (DF)
  0000: 4500 002e 9fc3 4000 7f06 ee00 41c0 7541  E....Ã@...4701...
  0010: 41c0 7544 5123 0019 663a 5547 abb8 239d  AÀuDQ#..f:UG«¸#.
  0020: 5018 1666 a793 0000 5155 4954 0d0a       P..f§...QUIT..

01:24:49.781990 antispam.remingtonltd.com.smtp > cpfw.20771: . ack 7 win
17514 (DF)
  0000: 4500 0028 5ad7 4000 4006 71f3 41c0 7544  E..(Z×@...843... at ...4702...
  0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  AÀuA..Q#«¸#.f:UM
  0020: 5010 446a 214b 0000                      P.Dj!K..

01:24:49.782264 antispam.remingtonltd.com.smtp > cpfw.20771: P
107:116(9) ack 7 win 17520 (DF)
  0000: 4500 0031 799a 4000 4006 5327 41c0 7544  E..1y. at ...843...@.S'AÀuD
  0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  AÀuA..Q#«¸#.f:UM
  0020: 5018 4470 0c5b 0000 3232 3120 4279 650d  P.Dp.[..221 Bye.
  0030: 0a                                       .

01:24:49.782313 antispam.remingtonltd.com.smtp > cpfw.20771: F
116:116(0) ack 7 win 17520 (DF)
  0000: 4500 0028 2ffa 4000 4006 9cd0 41c0 7544  E..(/ú@...843... at ..ÐAÀuD
  0010: 41c0 7541 0019 5123 abb8 23a6 663a 554d  AÀuA..Q#«¸#¦f:UM
  0020: 5011 4470 213b 0000                      P.Dp!;..

01:24:49.783043 cpfw.20771 > antispam.remingtonltd.com.smtp: . ack 117
win 5725 (DF)
  0000: 4500 0028 9fc4 4000 7f06 ee05 41c0 7541  E..(.Ä@...4701...
  0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  AÀuDQ#..f:UM«¸#§
  0020: 5010 165d 4f4e 0000 0000 0000 0000       P..]ON........

01:24:49.878137 cpfw.20771 > antispam.remingtonltd.com.smtp: F 7:7(0)
ack 117 win 5725 (DF)
  0000: 4500 0028 9ffb 4000 7f06 edce 41c0 7541  E..(.û@...4703...
  0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  AÀuDQ#..f:UM«¸#§
  0020: 5011 165d 4f4d 0000 0000 0000 0000       P..]OM........

01:24:49.878197 antispam.remingtonltd.com.smtp > cpfw.20771: . ack 8 win
17520 (DF)
  0000: 4500 0028 66c1 4000 4006 6609 41c0 7544  E..(fÁ@...843... at .f.AÀuD
  0010: 41c0 7541 0019 5123 abb8 23a7 663a 554e  AÀuA..Q#«¸#§f:UN
  0020: 5010 4470 213a 0000                      P.Dp!:..

01:24:49.878794 cpfw.20771 > antispam.remingtonltd.com.smtp: R
1715098958:1715098958(0) win 0
  0000: 4500 0028 9ffd 0000 7f06 2dcd 41c0 7541  E..(.ý....-ÍAÀuA
  0010: 41c0 7544 5123 0019 663a 554e 663a 554e  AÀuDQ#..f:UNf:UN
  0020: 5004 0000 798d 0000 0000 0000 0000       P...y.........


Please explain. Thanks.


  
neil camara (ronneilc at ...4042...) - cc{na|sa}, mcse - pgp
0x777777B2 
network/security engineer - dl := +1(847)2.21.0.224 cn :=
+1(847)9.80.17.53 
        echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \
              awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}'
------------------------------------------------------------------------
-- 
                 ---o0 Statement of Confidentiality 0o--- 
The contents of this message and its attachments and subsequent
additions are 
strictly confidential and proprietary and intended solely for the
addressee(s) 
hereof.  If you are not the named addressee, or this message has been
addressed 
to you in error, you are directed not to read, disclose, reproduce,
distribute, 
disseminate or otherwise use thistransmission.  Delivery of this message
to 
any other person other than the intended recipient(s) is not intended in
any 
way to waive privilege or confidentiality.  If you have received this
transmis- 
sion in error, please alert the sender by reply e-mail; we also request
that 
you immediately delete this message and its attachments, if any. 





_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list