From owner-freebsd-security@FreeBSD.ORG  Tue Sep  9 01:13:13 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0E2E216A4BF
	for <freebsd-security@freebsd.org>;
	Tue,  9 Sep 2003 01:13:13 -0700 (PDT)
Received: from strontium.bh.smithurst.org (bsmithurst.plus.com
	[81.174.183.63])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3131C43FD7
	for <freebsd-security@freebsd.org>;
	Tue,  9 Sep 2003 01:13:12 -0700 (PDT)	(envelope-from ben@FreeBSD.org)
Received: from ben by strontium.bh.smithurst.org with local (Exim 4.20)
	id 19wdcb-0005zk-UP; Tue, 09 Sep 2003 09:13:09 +0100
Date: Tue, 9 Sep 2003 09:13:09 +0100
From: Ben Smithurst <ben@FreeBSD.org>
To: Randy Bush <randy@psg.com>
Message-ID: <20030909081309.GA22828@strontium.bh.smithurst.org>
References: <E19wavc-000LTN-VI@ran.psg.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe"
Content-Disposition: inline
In-Reply-To: <E19wavc-000LTN-VI@ran.psg.com>
User-Agent: Mutt/1.4.1i
X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt
Sender: Ben Smithurst <ben@bh.smithurst.org>
cc: freebsd-security@freebsd.org
Subject: Re: is one of my hosts a scanner?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2003 08:13:13 -0000


--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Randy Bush wrote:

> seq     my host                       victim(s)
> ---     ----------------              ---------------
> 24)     192.168.0.2:1121    <-->      216.52.3.2:2703=20
> 25)     192.168.0.2:1122    <-->      216.52.3.4:2703=20
> 39)     192.168.0.2:1124    <-->      216.52.3.2:2703=20

Those hosts are at cloudmark.com, which gets used by
spamassassin (or some part of it).  Port 2703 is Razor2
<http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_recurse=3D1&file=3D16> - so
that fits as well.

Unless you're not using spamassassin or razor2 or something similar,
don't think there's anything to worry about...  Do the times of the
probes match up with times when mail is received?

--=20
Ben Smithurst / ben@FreeBSD.org                 FreeBSD: The Power To Serve
                                                    http://www.FreeBSD.org/

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/XYuVbPzJ+yzvRCwRAo4vAJ465CqxzLLKobLWuJy+dp8E/dArXQCgu3qK
oIhrsr06jEEjBhJBaujdZvI=
=2J3M
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--