From owner-freebsd-security@FreeBSD.ORG  Tue Sep  9 13:23:06 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9A43016A4BF; Tue,  9 Sep 2003 13:23:06 -0700 (PDT)
Received: from smtpout.mac.com (A17-250-248-87.apple.com [17.250.248.87])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id E25B543FA3; Tue,  9 Sep 2003 13:23:05 -0700 (PDT)
	(envelope-from lomion@mac.com)
Received: from mac.com (smtpin07-en2 [10.13.10.152])
	by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id h89KN55u022266;
	Tue, 9 Sep 2003 13:23:05 -0700 (PDT)
Received: from mac.com ([67.98.154.9])
	(authenticated bits=0)
	by mac.com (Xserve/8.12.9/MantshX 2.0) with ESMTP id h89KN1wq004977;
	Tue, 9 Sep 2003 13:23:03 -0700 (PDT)
Date: Tue, 9 Sep 2003 16:23:02 -0400
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
To: Randy Bush <randy@psg.com>
From: Lawrence Sica <lomion@mac.com>
In-Reply-To: <E19wkNI-000BVo-Hp@ran.psg.com>
Message-Id: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.552)
cc: freebsd-security@freebsd.org
Subject: Re: is one of my hosts a scanner?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2003 20:23:06 -0000


On Tuesday, September 9, 2003, at 11:25  AM, Randy Bush wrote:

>>> seq     my host                       victim(s)
>>> ---     ----------------              ---------------
>>> 24)     192.168.0.2:1121    <-->      216.52.3.2:2703
>>> 25)     192.168.0.2:1122    <-->      216.52.3.4:2703
>>> 39)     192.168.0.2:1124    <-->      216.52.3.2:2703
>>
>> Those hosts are at cloudmark.com, which gets used by
>> spamassassin (or some part of it).  Port 2703 is Razor2
>> <http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_recurse=1&file=16> - so
>> that fits as well.
>
> <doh!>  thanks.
>
> so tell me, why does the iana think port 2703 is sms-chat?  i.e.,
> why is the port used by razor2 not properly registered as a well
> known port?
>



Maybe razor2 is using the port without checking if it was already 
assigned for sms-chat?
IANA doesn't automagically know who uses what port unless someone tells 
them I thought.

--Larry