From owner-freebsd-security Tue Mar 4 11: 9:28 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5FE937B401 for ; Tue, 4 Mar 2003 11:09:25 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03B1A43F75 for ; Tue, 4 Mar 2003 11:09:24 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.7) with ESMTP id h24J9NtB008821; Tue, 4 Mar 2003 14:09:23 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030304140532.04b305f0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 04 Mar 2003 14:13:59 -0500 To: Geoffrey From: Mike Tancsa Subject: Re: Checking for sendmail attacks (was Re: SA-03:04.sendmail Bin Update) Cc: security@freebsd.org In-Reply-To: <20030304134748.B7046-100000@iguana.reptiles.org> References: <5.2.0.9.0.20030304124221.04e55460@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 210.157.1.15 is where the spam was coming from. I checked the actual message, and its just plain old spam. Looking through past logs, we get lots of crap from that /24 Feb 27 02:30:37 smtp1 sendmail[32992]: h1R7UZqj032992: from=, size=1351, class=0, nrcpts=1, msgid=<200302270730.QAA04061@cgi05.interq.net>, proto=ESMTP, daemon=MTA, relay=cgi05.interq.net [210.157.1.6] Feb 27 02:30:40 smtp1 sendmail[32994]: h1R7UZqj032992: to=, delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=30719, relay=spamscanner.sentex.ca. [64.7.128.115], dsn=2.0.0, stat=Sent (h1R7Ub5J048839 Message accepted for delivery) smtp1# its probably just an open relay, or a spam friendly network.... However, the way that they are formatting the spam seems to trigger the log message. At 01:53 PM 04/03/2003 -0500, Geoffrey wrote: > I've been seeing attempted traffic from 218.50.225.80 since 6 am >est to my port 25 at 3 hr intervals. Other traffic from 218.50 (139, 111) >suggests something else odd from that net is not cool. > Have you been able to pick out an originating ip? There are so many worms and people scanning, its like cosmic background radiation. In fact, if there were not hits on those other ports (139,111,161,80) against my network I would be more alarmed as I would think my network had been black-holed.... ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message