On Thu, 10 Jul 2003 12:33:54 +0900, alan premselaar wrote > On 7/10/03 11:48 AM, "Mike Vanecek" <[EMAIL PROTECTED]> wrote: > > ...snip... > > > > [EMAIL PROTECTED] admin]$ whois uchuu.12inch.com > > BW whois 3.4 by Bill Weinman (http://whois.bw.org/) > > Copyright 1999-2003 William E. Weinman > > Request: uchuu.12inch.com > > whois server for *.com is whois.crsnic.net ... > > connected to whois.crsnic.net [198.41.3.54:43] ... > > > > No match for "UCHUU.12INCH.COM". > > > > whois 12inch.com would have given you the appropriate information. > (as 12inch.com is the domain, and uchuu is a particular host in the > domain)
Yes, I missed that one, sorry. [snip] > I was sending mail in reply to one of your posts on the list. I typically > use "Reply all" which will reply to the list and also send a copy directly > to the sender. My mail logs only show it trying every 4 minutes, > but even that is strange. I suspect that what we are seeing is some form of syn requests from sendmail?? For example, I am now receiving the same sort of activity from another jp site: Jul 9 09:00:34 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=61693 DF PROTO=TCP SPT=25 DPT=57653 WINDOW=10136 RES=0x00 ACK SYN URGP=0 Jul 9 09:00:37 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=52 TOS=0x00 PREC=0x00 TTL=238 ID=61694 DF PROTO=TCP SPT=25 DPT=57653 WINDOW=10136 RES=0x00 ACK URGP=0 Jul 9 09:00:38 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=61695 DF PROTO=TCP SPT=25 DPT=57653 WINDOW=10136 RES=0x00 ACK SYN URGP=0 Jul 9 09:00:43 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=52 TOS=0x00 PREC=0x00 TTL=238 ID=61696 DF PROTO=TCP SPT=25 DPT=57653 WINDOW=10136 RES=0x00 ACK URGP=0 .... Jul 10 08:55:44 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=52 TOS=0x00 PREC=0x00 TTL=238 ID=34124 DF PROTO=TCP SPT=25 DPT=59292 WINDOW=10136 RES=0x00 ACK URGP=0 Jul 10 08:55:46 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=34125 DF PROTO=TCP SPT=25 DPT=59292 WINDOW=10136 RES=0x00 ACK SYN URGP=0 Jul 10 08:56:08 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=52 TOS=0x00 PREC=0x00 TTL=238 ID=34126 DF PROTO=TCP SPT=25 DPT=59292 WINDOW=10136 RES=0x00 ACK URGP=0 Jul 10 08:56:12 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=34127 DF PROTO=TCP SPT=25 DPT=59292 WINDOW=10136 RES=0x00 ACK SYN URGP=0 Jul 10 08:56:56 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=52 TOS=0x00 PREC=0x00 TTL=238 ID=34128 DF PROTO=TCP SPT=25 DPT=59292 WINDOW=10136 RES=0x00 ACK URGP=0 Jul 10 08:57:03 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=34129 DF PROTO=TCP SPT=25 DPT=59292 WINDOW=10136 RES=0x00 ACK SYN URGP=0 Jul 10 08:58:03 www kernel: Asia2 IN=eth0 OUT= MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=202.12.30.137 DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=238 ID=62547 DF PROTO=TCP SPT=25 DPT=59292 WINDOW=10136 RES=0x00 ACK SYN URGP=0 Notice it is from port 25 to a high numbered port and at a fairly high repeat rate. [EMAIL PROTECTED] admin]$ host 202.12.30.137 137.30.12.202.in-addr.arpa domain name pointer mx1.nic.ad.jp. I guess this one is nic.ad.jp trying to tell me that the problem has stopped? I think I will enable that ip address and see what happens. > > The reason I posted it on this list was that I was wondering if it was some > > form of DOS spam attack and that the people on this list would be the most > > likely to have a heads up on such a situation. > > I'm glad you posted on the list, otherwise i wouldn't have known > there was a problem. > > > > >> should anyone have any suggestions as to why this might have > >> happened, i'd be very interested in making sure it doesn't happen again. > > > > I do not use sendmail, so I cannot help you there. > > suggestions/comments from anyone else on the list will also be appreciated. > > alan Thank you. ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
