No subject


Thu Nov 23 16:36:19 EST 2017


I've never seen those packets before.

-> -----Original Message-----
-> From: John Berkers [mailto:berjo at ...827...]
-> Sent: Monday, January 28, 2002 5:24 AM
-> To: snort-users at lists.sourceforge.net
-> Subject: RE: [Snort-users] is this an attack?
->=20
->=20
-> This looks to me (from the content) like a system scanning=20
-> for open SMTP
-> relays.
->=20
-> Open SMTP relays are what allows a lot of the spam we receive in our
-> mailboxes to be sent anonymously.  My guess is that Remington Ltd is
-> actively scanning the Internet for open relays.
->=20
-> If you have no open relays then you have nothing to worry about.
->=20
-> Regards,
->=20
-> John Berkers
-> berjo at ...827...
->=20
->=20
->=20
-> -----Original Message-----
-> From: snort-users-admin at lists.sourceforge.net
-> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ronneil
-> Camara
-> Sent: Monday, 28 January 2002 18:42
-> To: snort-users at lists.sourceforge.net
-> Subject: [Snort-users] is this an attack?
->=20
->=20
-> Hi dudes,
->=20
-> I am receiving a lot of smtp connection atttempts from our checkpoint
-> firewall-1. Is it an attack? Looks like a SYN scan to me coz=20
-> I never see
-> any HELO transaction in the /var/log/maillog.
->=20
-> 01:24:49.777645 cpfw.20771 > antispam.remingtonltd.com.smtp: S
-> 1715098950:1715098950(0) win 5840 <mss 1460,nop,nop,sackOK> (DF)
->   0000: 4500 0030 9fc1 4000 7f06 ee00 41c0 7541  E..0.=C1 at ...4701...
->   0010: 41c0 7544 5123 0019 663a 5546 0000 0000  A=C0uDQ#..f:UF....
->   0020: 7002 16d0 f18c 0000 0204 05b4 0101 0402  p..=D0=F1......=B4....
->=20
-> 01:24:49.777760 antispam.remingtonltd.com.smtp > cpfw.20771: S
-> 2880971570:2880971570(0) ack 1715098951 win 17520 <mss
-> 1460,nop,nop,sackOK> (DF)
->   0000: 4500 0030 59f4 4000 4006 72ce 41c0 7544  E..0Y=F4 at ...843...@.r=
=CEA=C0uD
->   0010: 41c0 7541 0019 5123 abb8 2332 663a 5547  A=C0uA..Q#=AB=B8#2f:UG
->   0020: 7012 4470 f4f0 0000 0204 05b4 0101 0402  p.Dp=F4=F0.....=B4....
->=20
-> 01:24:49.778486 cpfw.20771 > antispam.remingtonltd.com.smtp:=20
-> . ack 1 win
-> 5840 (DF)
->   0000: 4500 0028 9fc2 4000 7f06 ee07 41c0 7541  E..(.=C2 at ...4701...
->   0010: 41c0 7544 5123 0019 663a 5547 abb8 2333  A=C0uDQ#..f:UG=AB=B8#3
->   0020: 5010 16d0 4f55 0000 0000 0000 0000       P..=D0OU........
->=20
-> 01:24:49.781016 antispam.remingtonltd.com.smtp > cpfw.20771: P
-> 1:107(106) ack 1 win 17520 (DF)
->   0000: 4500 0092 21f2 4000 4006 aa6e 41c0 7544  E...!=F2 at ...843...@.=AA=
nA=C0uD
->   0010: 41c0 7541 0019 5123 abb8 2333 663a 5547  A=C0uA..Q#=AB=B8#3f:UG
->   0020: 5018 4470 960f 0000 3232 3020 616e 7469  P.Dp....220 anti
->   0030: 7370 616d 2e72 656d 696e 6774 6f6e 6c74  spam.remingtonlt
->   0040: 642e 636f 6d20 4553 4d54 5020 5365 7276  d.com ESMTP Serv
->   0050: 6572                                     er
->=20
-> 01:24:49.781930 cpfw.20771 > antispam.remingtonltd.com.smtp: P 1:7(6)
-> ack 107 win 5734 (DF)
->   0000: 4500 002e 9fc3 4000 7f06 ee00 41c0 7541  E....=C3 at ...4701...
->   0010: 41c0 7544 5123 0019 663a 5547 abb8 239d  A=C0uDQ#..f:UG=AB=B8#.
->   0020: 5018 1666 a793 0000 5155 4954 0d0a       P..f=A7...QUIT..
->=20
-> 01:24:49.781990 antispam.remingtonltd.com.smtp > cpfw.20771:=20
-> . ack 7 win
-> 17514 (DF)
->   0000: 4500 0028 5ad7 4000 4006 71f3 41c0 7544  E..(Z=D7 at ...843...@...4702...
->   0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  A=C0uA..Q#=AB=B8#.f:UM
->   0020: 5010 446a 214b 0000                      P.Dj!K..
->=20
-> 01:24:49.782264 antispam.remingtonltd.com.smtp > cpfw.20771: P
-> 107:116(9) ack 7 win 17520 (DF)
->   0000: 4500 0031 799a 4000 4006 5327 41c0 7544  E..1y. at ...843...@.S'A=
=C0uD
->   0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  A=C0uA..Q#=AB=B8#.f:UM
->   0020: 5018 4470 0c5b 0000 3232 3120 4279 650d  P.Dp.[..221 Bye.
->   0030: 0a                                       .
->=20
-> 01:24:49.782313 antispam.remingtonltd.com.smtp > cpfw.20771: F
-> 116:116(0) ack 7 win 17520 (DF)
->   0000: 4500 0028 2ffa 4000 4006 9cd0 41c0 7544  E..(/=FA at ...843...@..=
=D0A=C0uD
->   0010: 41c0 7541 0019 5123 abb8 23a6 663a 554d  A=C0uA..Q#=AB=B8#=A6f:UM
->   0020: 5011 4470 213b 0000                      P.Dp!;..
->=20
-> 01:24:49.783043 cpfw.20771 > antispam.remingtonltd.com.smtp:=20
-> . ack 117
-> win 5725 (DF)
->   0000: 4500 0028 9fc4 4000 7f06 ee05 41c0 7541  E..(.=C4 at ...4701...
->   0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  A=C0uDQ#..f:UM=AB=B8#=A7
->   0020: 5010 165d 4f4e 0000 0000 0000 0000       P..]ON........
->=20
-> 01:24:49.878137 cpfw.20771 > antispam.remingtonltd.com.smtp: F 7:7(0)
-> ack 117 win 5725 (DF)
->   0000: 4500 0028 9ffb 4000 7f06 edce 41c0 7541  E..(.=FB at ...4703...
->   0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  A=C0uDQ#..f:UM=AB=B8#=A7
->   0020: 5011 165d 4f4d 0000 0000 0000 0000       P..]OM........
->=20
-> 01:24:49.878197 antispam.remingtonltd.com.smtp > cpfw.20771:=20
-> . ack 8 win
-> 17520 (DF)
->   0000: 4500 0028 66c1 4000 4006 6609 41c0 7544  E..(f=C1 at ...843...@.f.A=
=C0uD
->   0010: 41c0 7541 0019 5123 abb8 23a7 663a 554e  A=C0uA..Q#=AB=B8#=A7f:UN
->   0020: 5010 4470 213a 0000                      P.Dp!:..
->=20
-> 01:24:49.878794 cpfw.20771 > antispam.remingtonltd.com.smtp: R
-> 1715098958:1715098958(0) win 0
->   0000: 4500 0028 9ffd 0000 7f06 2dcd 41c0 7541  E..(.=FD....-=CDA=C0uA
->   0010: 41c0 7544 5123 0019 663a 554e 663a 554e  A=C0uDQ#..f:UNf:UN
->   0020: 5004 0000 798d 0000 0000 0000 0000       P...y.........
->=20
->=20
-> Please explain. Thanks.
->=20
->=20
->=20=20=20
-> neil camara (ronneilc at ...4042...) - cc{na|sa}, mcse - pgp
-> 0x777777B2=20
-> network/security engineer - dl :=3D +1(847)2.21.0.224 cn :=3D
-> +1(847)9.80.17.53=20
->         echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \
->               awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}'
-> -------------------------------------------------------------
-> -----------
-> --=20
->                  ---o0 Statement of Confidentiality 0o---=20
-> The contents of this message and its attachments and subsequent
-> additions are=20
-> strictly confidential and proprietary and intended solely for the
-> addressee(s)=20
-> hereof.  If you are not the named addressee, or this message has been
-> addressed=20
-> to you in error, you are directed not to read, disclose, reproduce,
-> distribute,=20
-> disseminate or otherwise use thistransmission.  Delivery of=20
-> this message
-> to=20
-> any other person other than the intended recipient(s) is not=20
-> intended in
-> any=20
-> way to waive privilege or confidentiality.  If you have received this
-> transmis-=20
-> sion in error, please alert the sender by reply e-mail; we=20
-> also request
-> that=20
-> you immediately delete this message and its attachments, if any.=20
->=20
->=20
->=20
->=20
->=20
-> _______________________________________________
-> Snort-users mailing list
-> Snort-users at lists.sourceforge.net
-> Go to this URL to change user options or unsubscribe:
-> https://lists.sourceforge.net/lists/listinfo/snort-users
-> Snort-users list archive:
-> http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
->=20
->=20
-> _______________________________________________
-> Snort-users mailing list
-> Snort-users at lists.sourceforge.net
-> Go to this URL to change user options or unsubscribe:
-> https://lists.sourceforge.net/lists/listinfo/snort-users
-> Snort-users list archive:
-> http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
->=20




More information about the Snort-users mailing list