I was doing some review of my logs and stumbled upon a series of entries
that has me baffled. Here is the log segment:
17:06:18 5 SMTP-947([64.242.11.10]) OT 125 of 125 bytes sent, Flags=0
17:06:18 5 SMTP-947([64.242.11.10]) *Status=22
17:06:18 5 SMTP-947([64.242.11.10]) Received 23 bytes
17:06:18 4 SMTP-947([64.242.11.10]) Input Line: EHLO idfanet.idfa.org\r
17:06:18 5 SMTP-947([64.242.11.10]) *Status=21
17:06:18 4 SMTP-947(idfanet.idfa.org) Looking for idfanet.idfa.org
17:06:19 4 SMTP-947(idfanet.idfa.org) Sending
250-bigbrother.pecandeluxe.com is pleased to meet
you\r\n250-HELP\r\n250-ETRN\r\n250-AUTH=LOGIN\r\n250-AUTH LOGIN PLAIN
CRAM-MD5\r\n250 EHLO\r\n
17:06:19 5 SMTP-947(idfanet.idfa.org) OT 132 of 132 bytes sent, Flags=0
17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=22
17:06:19 5 SMTP-947(idfanet.idfa.org) Received 149 bytes
17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: AUTH LOGIN
Y25cM0RtYWlsLWlkZmFuZXQuaWRmYS5vcmdcMkNcMjBjblwzRGlkZmFuZXQuaWRmYS5vcmdcMkN
cMjBvdVwzRE5ldHNjYXBlXDIwU2VydmVyc1wyQ1wyMG9cM0RpZGZhLm9yZw==\r
17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=35
17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 'Password:'
17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 334 UGFzc3dvcmQ6\r\n
17:06:19 5 SMTP-947(idfanet.idfa.org) OT 18 of 18 bytes sent, Flags=0
17:06:19 5 SMTP-947(idfanet.idfa.org) Received 18 bytes
17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: ZGV5enF3ZHlMZQ==\r
17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=36
17:06:19 0 SYSTEM Account
{cn\3Dmail-idfanet.idfa.org\2C\20cn\3Didfanet.idfa.org\2C\20ou\3DNetscape\2
0Servers\2C\20o\3Didfa.org} Resources open failed. Error Code=-43
17:06:19 1 SMTP
{cn\3Dmail-idfanet.idfa.org\2C\20cn\3Didfanet.idfa.org\2C\20ou\3DNetscape\2
0Servers\2C\20o\3Didfa.org} AUTH failed: password(deyzqwdyLe) is wrong.
Connection from [64.242.11.10:4461]
17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 535 authentication
failed\r\n
17:06:19 5 SMTP-947(idfanet.idfa.org) OT 27 of 27 bytes sent, Flags=0
17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=22
17:06:19 5 SMTP-947(idfanet.idfa.org) Received 33 bytes
17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: MAIL
FROM:<[EMAIL PROTECTED]>\r
17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=25
17:06:19 5 SYSTEM {S.0000278177} in work, ref=742, nFresh=4
17:06:19 5 ROUTER Input: newsupdate(idfa.org)
17:06:19 5 ROUTER Parser: [EMAIL PROTECTED] -> newsupdate(idfa.org)
17:06:19 5 SMTP-947(idfanet.idfa.org) *Status=26
17:06:20 4 SMTP-947(idfanet.idfa.org) Sending 250 <[EMAIL PROTECTED]>
sender accepted\r\n
17:06:20 5 SMTP-947(idfanet.idfa.org) OT 43 of 43 bytes sent, Flags=0
17:06:20 5 SMTP-947(idfanet.idfa.org) *Status=23
17:06:20 5 SMTP-947(idfanet.idfa.org) Received 39 bytes
17:06:20 4 SMTP-947(idfanet.idfa.org) Input Line: RCPT
TO:<[EMAIL PROTECTED]>\r
It appears that the message from idfa.org is somehow trying to "log-in"
to my SIMS server. Is that what it is doing? If so, why? Is there system
"infected" with some sort of "probing"-virus that is trying to find a
legitimate log-in? Should I be concerned? Should I alert idfa.org (IDFA
is a trade organization with whom we do have a business relationship; I
expect mail from them, so it's not SPAM or anything like that).
TIA,
================================================
| Doug Starkey |
| Network Administrator |
| Pecan Deluxe Candy Company |
| 2570 Lone Star Drive |
| Dallas, TX 75212-6308 |
| e-mail: [EMAIL PROTECTED] |
| voice: 214-631-3669 Ext. 108 |
| fax: 214-631-5833 |
================================================
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
