[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Should I worry
- Subject: RE: [cobalt-security] Should I worry
- From: "Mark Carey" <mark.carey@xxxxxxx>
- Date: Wed, 12 Dec 2001 10:51:42 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hello all,
this looks like someone may have a broken mail server. It's also
possible, though not probable, that they have been "hacked". I would
recommend calling their coordinator:
Jeff Fostek (jfostek@xxxxxxxxxx)
or by phone at 757-490-7300 (US Number)
This information is publicly available through the whois service. You
might want to include an e-mail to the coordinator with a sample of the
logs.
Hope this helps,
Mark.
P.S. The other message on this thread was an active monitor status
checking mechanism on the Qube/Raq. It checks the status of various
applications every 15 minutes and alerts the admin if the application is
not on-line.
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Michael
Stauber
Sent: Wednesday, December 12, 2001 9:54 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Should I worry
Hi Audric,
> During the last few days I got hundreds of these:
>
> Dec 12 09:04:08 qube3 sendmail[20950]: NOQUEUE: mrh.rcmail.com
> [216.54.1.19] did not issue MAIL/EXPN/VRFY/ETRN during connection to
> MTA
>
> should I worry.
Jepp. Could be that someone connected manually to your sendmail port and
is/was trying to trick it into doing bad stuff.
You can test it out by using "telnet <your.ip.address> 25". Sendmail
will then greet you and expects to talk to a mail programm or other mail
server. You can basically send emails that way by just typing the
commands that Sendmail expects during a normal mail connection, or by
letting a script generate them.
The error message above (did not issue MAIL/EXPN/VRFY/ETRN) tells us
that the connecting party got past the initial "HELO" greeting, but then
didn't behave as sendmail expected.
> Meanwhile I changed the default rule of my firewall from accept to
> deny.
Sounds like a good idea. You could of course block this IP-address or
the entire address range of the originating ISP instead.
--
With best regards,
Michael Stauber
SOLARSPEED.NET
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security