[Snort-users] ATTACK-RESPONSES id check returned root

Our World Is Here info at ...2282...
Wed Oct 26 08:05:40 EDT 2005

That would be true...if we had a smtp server, but we don't.

None of our machines handle email, we use a third party.  So why would we
ever see this normally?  The only 25 we should see normally is outbound
directly to our real server.

But yes, we do see legit emails hitting this when we POP our mail (obviously
not with web mail clients...).


James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."
Info at lucretia dot ca

> > I see this so often I've revised this sid (498 I think) to ignore
> > anything coming via POP port 110.  If I see it on 25 I get
> worried...
> >
> Why?  If you see it on port 25, it's just incoming email.
> Look at the payload.  You'll see that it's an email passing
> through your stmp server.
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/

More information about the Snort-users mailing list