Preface: SMTP port probeLogo -Internet Security Systems

SMTP port probe
advICE :Intrusions : 2003003
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Someone is scanning the system to see if it supports the SMTP mail transfer service.

Details

SMTP (Simple Mail Transfer Protocol) is the protocol used to transfer mail on the Internet. If you look in your own e-mail program, you will see configuration settings that tell it to send e-mail to your ISP using SMTP.

However, while you normally just have an SMTP "client" (Netscape, Outlook, Eudora, etc.), it is also possible to setup your own SMTP server on your own machine. The problem with SMTP servers, though, is that they are often confused as to the difference between "incoming" vs. "outgoing" e-mail. Thus, if somebody were to send your system e-mail destined to "foo@example.com", then your e-mail server would accept the e-mail, then immediately forward back outbound to "example.com".

While this seems innocent, it is actually one of the biggest problems on the Internet. The reason is that spammers are scanning the Internet for miconfigured SMTP servers that they can forward their e-mail through. They do this for two reasons. The first is that they can "anonymize" their connections (hide their tracks). As far as recipients are concerned, the spam came from your computer, not the spammers. Second, and more importantly, spammers send your server a single e-mail destined to hundreds of recipients. Your own server then breaks down each recipient and sends them e-mail one-by-one. This allows the user of a slow link (like a dial-up) to send out megabytes worth of spam through your fast connection.

In other words, this intrusion event likely indicates a spammer who is scanning your system to see if they can forward spam though it. Note that these people are scanning millions of systems, not just yours.

False Positives

If you intend for your system to support SMTP, then this indicates that the connection could not be completed for some reason. If you are getting many such events, then it probably indicates that your SMTP server is down or overloaded. Otherwise, you will occasionally get this message due to a problem on the client end (the person sending you e-mail).

Defense

There is no defense against being spammed, but if you setup an SMTP server, make sure that the "relaying" feature is turned off. Otherwise, you will eventually be identified as a "spammer-friendly" site and be "blackholed": prevented from accessing many areas of the Internet.

 more information
spam countermeasures  
This section describes measures you can take against spammers.  
SMTP exploits  
The intruder could be scanning for an SMTP service they can exploit. This section describes the many ways that SMTP servers can be broken into.  
TCP port probe  
This section describes more about the symptom of somebody probing ports on your system.  

 parametric information
portThis indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled:the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent:the incoming TCP SYN frame was rejected by the computer.
ICMPsent:the incoming UDP frame was rejected by the computer.
NOanswer:there was no response to the incoming SYN frame.

 
Version appeared: 2.5
Privacy Policy |  Copyright Info