Timing was my first reaction, but this whole thing may not be a good idea anyway. If you cannot stop the TCP connection establishment, then blocking further access is pretty futile. Anyone who can telnet to you could also put up an SMTP server of their own or script a session. I think that refusal of connections on mailservers is generally at the application layer based on source IP address, by address range and/or DNS PTR record lookup. There are lists of dialup IPs and also various email blacklists, see http://mail-abuse.org. It doesn't seem very scientific or rigorous but if you have a public SMTP server then it's public. At least that way your server gets to tear down the TCP session. rgds Marc
Priscilla Oppenheimer wrote: > > When people Telnet to SMTP server, what do they then do? Do they manually > send the normal SMTP commands? Sorry, if that's a dumb question, but I'm > just trying to figure out the situation. > > If they are not Telnetting in order to send ordinary SMTP commands (HELO, > RSET, RCPT, DATA, etc). then of course, you could recognize them because by > what they aren't doing. > > Let's say they are sending ordinary SMTP commands. Would it be possible > then to recognize this by the timing? Even the fastest typist can't send > those commands as fast as e-mail software can. > > That's my $0.00000010. Please do answer, though. I'm trying to learn more > about this curious thing of Telnetting to ports other than 23. > > Priscilla > > At 02:51 AM 4/16/02, Cisco Breaker wrote: > >Hi, > > > >Is it possible to block telnet to SMTP server from port 25 with IDS. I want > >to create a custom signature for this but I don't know how this can be done. > >If I write a signature beginning with hello it will block all mail traffic > >because all of them starts with hello as I know. And are there any > >resources that tells how to write a custom signature. We are using CSPM > >2.3.3i. > > > >Any help will be appreciated. > > > >Best regards, > > > >Cisco Breaker > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41668&t=41565 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
