On 5 Mar 2001, Dominic Mitchell wrote:
>
> Ok,
>
> I know that I am asking many small questions ... I am seeing this
> since I have installed the firewall as I have put maximum
> logging. The address 207.253.63 is using port 110 (pop3). Could
> they be using my computer as a relay for spam?
>
> Mar 5 03:00:06 rlevesque kernel: Packet log: input ACCEPT eth0
> PROTO=6 207.253.6.3:110 24.203.96.163:1091 L=60 S=0x00 I=55621
> F=0x4000 T=57 (#2)
>
> Mar 5 03:00:06 rlevesque kernel: Packet log: input ACCEPT eth0
> PROTO=6 207.253.6.3:110 24.203.96.163:1091 L=149 S=0x00 I=55636
> F=0x4000 T=57 (#2)
>
> Mar 5 03:00:06 rlevesque kernel: Packet log: input ACCEPT eth0
> PROTO=6 207.253.6.3:110 24.203.96.163:1091 L=88 S=0x00 I=55637
> F=0x4000 T=57 (#2)
>
> whois returns
>
> NS2.OP-PLUS.NET
> NS1.OP-PLUS.NET
> NS1.WEBDENT.COM
> NAME2.WEBARCHITECTPRO.COM
> NAME1.WEBARCHITECTPRO.COM
>
> This all points to www.networksolutions.com which is a web hosting
> service ... Thus two web hosting service are in my logs --- the
> other one being www.opensrs.org. I think I should be very
> suspicious.
>
> Thanks
>
It looks like someone is retrieving mail from 207.253.6.3. The port
numbers tell you a lot. The connection is from the pop3 port on
207.253.6.3 to an unprivalaged port on 24.203.96.163. Is someone on
your network getting mail using Fetchmail, or something like Netscape
from a site outside your network?
One thing to keep in mind, input rule messages will show the IP of your
firewall as the destination address when they come from the internet.
This is because they have not hit the masquarding rules yet.
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
