[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] VRFY root [rejected]
- Subject: Re: [cobalt-security] VRFY root [rejected]
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Fri, 11 Apr 2003 12:45:29 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
RH> Date: Fri, 11 Apr 2003 14:22:44 +0200
RH> From: "Robbert Hamburg (HaVa Web- & Procesdesign)"
RH> I just received this in my portsentry details
RH>
RH> Apr 11 11:18:26 server4 sendmail[7129]: h3B9IKc07129:
RH> d033.dhcp212-198-107.noos.fr [212.198.107.33]: VRFY root [rejected]
RH> Apr 11 11:18:31 server4 sendmail[7130]: h3B9IQc07130:
RH> d033.dhcp212-198-107.noos.fr [212.198.107.33]: EXPN root [rejected]
RH>
RH> Can someone shed some light on this ??
Google search for
SMTP VRFY
SMTP EXPN
Someone is probing your system. Funny that they're probing
"root", which sort of tends to exist on *ix boxen. I consider
that more of an annoyance than a threat, especially when one has
VRFY and EXPN disabled; your logs indicate you do.
Now, will your IDS flag this message because it has both "smtp
vrfy" and "smtp expn" in it? ;-) Seriously... when an IDS simply
watches traffic for patterns, that sometimes happens.
P.S. -- I'm surprised to see someone probing VRFY and EXPN. I
disabled it on our systems from the the start in 1997... do that
many people have it enabled?
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.