Hi all,
The last few days i'm getting mass spam messages from a server called smarty.dreamhost.com IDS comes with the message:
2005:07:12-15:52:57 (none) snort[855]: [1:1549:0] D SMTP HELO overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {PROTO006} 66.33.216.24:40189 -> 172.16.77.77:25
2005:07:12-15:53:29 (none) snort[855]: [1:1549:0] D SMTP HELO overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {PROTO006} 66.33.216.24:40189 -> 172.16.77.77:25
2005:07:12-15:54:32 (none) snort[855]: [1:1549:0] D SMTP HELO overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {PROTO006} 66.33.216.24:40189 -> 172.16.77.77:25
2005:07:12-15:56:32 (none) snort[855]: [1:1549:0] D SMTP HELO overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {PROTO006} 66.33.216.24:40189 -> 172.16.77.77:25
So to get ride of this i add a block rule on 66.33.216.24 Normally that's enough but not this time. It looks as if this joker is not blocked at all. When i add the 'log' feature to the rule there is nothing in the log so i think that because of the fact that i'm running a smtp proxy this rule is ignored by the packet filter rules. Am i right? I always thought that the first thing that checks a packet is the packet filter followed by the services behind but i'm not so sure anymore [:S]
Regards,
Jan
This thread was automatically locked due to age.
