I don't know about you but I have many "Hacker" intrusions from the
"t-dialin.net" domain, so many that every time I receive a hack alert, not
just popper, I add a filter to my firewall to drop their packets.
I have seen probes on just about every TCP and UDP port.
I think you will find that the intruder is trying to use popper to relay
mail. (Maybe)
Wayne
At 10:30 AM 18-09-01 +0200, Ruggero Dell'Osso wrote:
>Hi,
>I am testing qpopper 4.0.3 on redhat 7.1 system and I am the only user of
>the server. I have a sospicious connection to the pop port. Someone can
>help me to understand what means? Qpopper is vulnerable to acker attack?
>These are the lines founded in /var/log/maillog
>
>Sep 16 00:41:16 s2 popper[7239]: (null) at pD95410DD.dip.t-dialin.net
>(217.84.16.221): -ERR POP EOF or I/O Error [popper.c:794]
>Sep 16 00:41:16 s2 popper[7239]: I/O error flushing output to client at
>pD95410DD.dip.t-dialin.net [217.84.16.221]: Operation not permitted (1)
>[pop_send.c:685]
>Sep 16 00:41:16 s2 popper[7239]: I/O error flushing output to client at
>pD95410DD.dip.t-dialin.net [217.84.16.221]: Operation not permitted (1)
>[pop_send.c:685]
>Sep 16 00:41:16 s2 popper[7239]: (v4.0.3) Timing for
>@pD95410DD.dip.t-dialin.net (error) auth=0 init=0 clean=0 [popper.c:375]
>Sep 16 00:41:16 s2 sendmail[7238]: NOQUEUE: pD95410DD.dip.t-dialin.net
>[217.84.16.221] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
>tank you
>
>Ruggero
>
