RE: [cobalt-security] Need some help on a Attack Alert and a response from the source please...

["E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>]

CL> Date: Tue, 10 Feb 2004 13:43:41 -0500
CL> From: Chuck Lewis


CL> Thanks. And I agree (about the upstream reporting) :-)

That's definitely the correct thing.  Many clueful bandwidth
providers put a fair amount of effort into security.

I also WOULD NOT run automated reactionary IP blocking unless
you _really_ understand what you're doing.  They're a great way
to shoot yourself in the foot, and frequently accomplish nothing
positive.


CL> But what does:
CL>
CL> " It seems somebody in our network have SOCKS proxy
CL> configured with your host"
CL>
CL> mean to you ? Is this just a diversion or what ?

SOCKS proxies often are not properly secured.  Perhaps the
network had an erroneous proxy configuration, or perhaps they
were scanning maliciously.  Maybe a machine had been infected and
was trojaned.

Your effort is best put into maintaining your system(s).  We
receive thousands of suspicious packets each day.  It just isn't
worth chasing down 99.99% of them.

PayPal/bank/ID phishing is another matter...


Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
          DO NOT send mail to the following addresses :
  blacklist@xxxxxxxxx -or- alfra@xxxxxxxx -or- curbjmp@xxxxxxxx
Sending mail to spambait addresses is a great way to get blocked.