[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Should I worry

Subject: RE: [cobalt-security] Should I worry
From: "Mark Carey" <mark.carey@xxxxxxx>
Date: Wed, 12 Dec 2001 10:51:42 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello all,
  
   this looks like someone may have a broken mail server.  It's also
possible, though not probable, that they have been "hacked".  I would
recommend calling their coordinator:

	Jeff Fostek (jfostek@xxxxxxxxxx)
	or by phone at 757-490-7300 (US Number)

This information is publicly available through the whois service.  You
might want to include an e-mail to the coordinator with a sample of the
logs.

   Hope this helps, 
   Mark.

P.S. The other message on this thread was an active monitor status
checking mechanism on the Qube/Raq.  It checks the status of various
applications every 15 minutes and alerts the admin if the application is
not on-line.


-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Michael
Stauber
Sent: Wednesday, December 12, 2001 9:54 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Should I worry


Hi Audric,

> During the last few days I got hundreds of these:
> 
> Dec 12 09:04:08 qube3 sendmail[20950]: NOQUEUE: mrh.rcmail.com 
> [216.54.1.19] did not issue MAIL/EXPN/VRFY/ETRN during connection to 
> MTA
> 
> should I worry.

Jepp. Could be that someone connected manually to your sendmail port and
is/was trying to trick it into doing bad stuff. 

You can test it out by using "telnet <your.ip.address> 25". Sendmail
will then greet you and expects to talk to a mail programm or other mail
server. You can basically send emails that way by just typing the
commands that Sendmail expects during a normal mail connection, or by
letting a script generate them. 

The error message above (did not issue MAIL/EXPN/VRFY/ETRN) tells us
that the connecting party got past the initial "HELO" greeting, but then
didn't behave as sendmail expected.

> Meanwhile I changed the default rule of my firewall from accept to 
> deny.

Sounds like a good idea. You could of course block this IP-address or
the entire address range of the originating ISP instead.

-- 
With best regards,

Michael Stauber
SOLARSPEED.NET
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- Re: [cobalt-security] Should I worry
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] Should I worry
Next by Date: Re: [cobalt-security] Should I worry
Previous by thread: Re: [cobalt-security] Should I worry
Next by thread: Re: [cobalt-security] Should I worry

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index