# # SCAN OF THE WEEK #2 - 3 to 10 June # # Weekly contest to see who can determine which tool # was used for this scan. All signatures were captured # with snort (http://www.snort.org). # # The following signature is from the wild. Our friend probed # my system for spam relay. He is building a database of systems # that he can use as a spam relay. These are the people you are # receiving spam from. Note the use of the automated tool (Spade). # Anyone have the source for this? # # I have sanitized the domain name of my system, however everyhting # else is valid, including the Source IP of the scan and the email # accounts used. Keep your eyes open for signatures like this, they # are most likely scanning your network also. # # Notice the return mail account this person is using. This is most # likely valid, so the person can get the results. # 220 mail.example.com. Sendmail SMI-8.6/SMI-SVR4 ready at Sun, 11 Jun 2000 11:27:42 -0500 HELO MAIL.EXAMPLE.COM 250 mail.example.com. Hello [211.54.114.180], pleased to meet you MAIL FROM: 250 ... Sender ok RCPT TO: 250 ... Recipient ok DATA 354 Enter mail, end with "." on a line by itself From: woqjffirst@yahoo.com (Spade relay check) Subject: MAIL.EXAMPLE.COM relay check . 250 LAA14291 Message accepted for delivery QUIT ANSWER: ------- A variety of you from the security community have contributed some great answers. Here is one, from Tim Macy at the Naval Surface Warfare Center. Thanks to Tim and everyone else who responded! "Spade" is Sam Spade or http://www.samspade.org you can use the online tools so nobody knows who you really are or to check things from outside your network. The downloadable version for Windows was what that guy was using. It is a sweet set of tools that are great for trouble shooting networks problems or evil. If you have a Windows box download it and check it out, it is simple but so user friendly its impressive.