No damage has been done other than some denial of service. It looks to me
that they are intrusion attempts that are interfering with SMTP or maybe
they are just trying to deny us the use of SMTP. In either case, whenever
this IP address accesses our SMTP port, errors are generated and eventually
we lose SMTP. After which I have to cycle the firewall. Also, these
attempts are only occuring after hours. If it helps, the errors that we
see are "Error reading from 208.225.214.81. Conversation failure." Now,
we do see this error once in a while from other addresses, but they are
rare. When 208.225.214.81 comes up, we get many of these errors - usually
more than 15 of them. Normally, when we do see this error with another
address it only occurs once. I've checked with IBM for any new patches and
found that we are current on all our patches.
Thanks,
Lee Herbst
Richard
Golodner To: "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
<RGolodner@Ae cc:
tea.com> Subject: RE: Unidentifiable Host
10/25/00
08:51 AM
Lee, most likely the address you are getting has been spoofed meaning it is
not the actual address of the person visiting on your SMTP port. Is this
person doing any damage through that port? Or are you just seeing intrusion
attempts?
Sincerely, Richard Golodner
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 25, 2000 8:36 AM
To: [EMAIL PROTECTED]
Subject: Unidentifiable Host
We have been having problems with SMTP through our firewall lately. Going
through the logs, I have found a specific IP address associated with most
SMTP errors in the log. When I try to do a traceroute or a whois on this
IP address I get an unknown host or an unknown network. It seems to be an
unassigned IP address, one that doesn't belong to an assigned block. I
have specifically blocked this IP address and have turned on block invalid
originators (we are already blocking relays), but I don't know if these
things will stop whoever from access this port on our firewall and causing
us problems. Time will tell. My questions are, how can we track down the
user of this IP address? Is it even possible? How many unassigned blocks
exist? Any suggestions on protecting ourselves from these IP addresses?
Our firewall is IBM SecureWay Firewall 4.11 and the IP address in question
is 208.225.214.81 (just in case I was doing something wrong in looking up
the address).
Thanks,
Lee Herbst
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
