Just to change the topic momentarily away from conference registrations etc to more technical matters.... :-) A while back I remember a bit of discussion about a "personal firewall" program that automatically sent out abuse(a)domain emails whenever it detected "intrusion attempts" that was really starting to get up the nose of system admins everywhere.... Yesterday I got a strong sense of Deja Vu when I received the following email to abuse@ (details xxx'ed to protect the innocent :) -------------------8<--------------------- Complaint ID: [securepipe.com #xxxxxx] The following is a complaint against an IP or domain which appeared in our logs, indicating possible network abuse. If you have received this report in error, please forward it to the appropriate party or let us know. A user, apparently from your network, probed port 139 (NETBIOS) on the IP appearing in the log except below. The port in question is commonly used for Windows networking, and thus the probe may represent a misconfigured client or an active attempt to gain unauthorized access to the target. All timestamps below are in UTC -0000 (Greenwich Mean Time) Jul 3 03:14:56 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6 x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=64034 F=0x4000 T=103 SYN (#25) Jul 3 03:14:59 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6 x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=547 F=0x4000 T=103 SYN (#25) Jul 3 03:15:05 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6 x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=4643 F=0x4000 T=103 SYN (#25) Jul 3 03:15:17 ca-gw kernel: Packet log: inpETH2 DENY eth2 PROTO=6 x.x.x.x:1026 x.x.x.x:139 L=48 S=0x00 I=11811 F=0x4000 T=103 SYN (#25) We appreciate your assistance in resolving this matter. -- SecurePipe Incident Response Team Tel: +1 608 294 6940 Fax: +1 608 294 6950 (attn: IRT) incident.response(a)securepipe.com -------------------8<--------------------- Now I don't know about anyone else, but this email looks like an automatically generated report if I ever saw one...although this time comming from a linux firewall log. The question is should I be taking this seriously, or ignoring it. The fact that the "complaint" had an ID number suggested they may have a system like spamcop where you can quickly log in and address the issue on their website. Unless I'm blind, they don't have anything like that on their site, only lots of promotional material for their companys products/services. (Does that make this email effectively unsolicited advertising ? :) Then there is the question of severity - I'd be interested to know where most sysadmins draw the line between accidental and harmless connections and outright mallicious activity. IMHO a single connection attempt to port 139 doesn't fall into the category of mallicious, and could indeed be totally accidental. I can think of a number of actions in windows that will inadvertently cause it to try to make a netbios connection to a remote host - sometimes you have to go out of your way to STOP the stupid thing from doing that...(netbios hostname resolution anyone?) I'm definately not trying to downplay the importance of security, but I can see a lot of nuisance value if we get to the point where any connection to a non-desired port is automatically considered mallicious, and every man and his dog has their firewall automatically firing off emails every time somebody tries to connect to them on a port they weren't expecting connections on... Anyway, I'd be interested in hearing from anyone else who has dealt with "securepipe.com", or just peoples opinions on the matter of automated firewall abuse emailing in general... Regards, Simon Byrnand iGRIN Internet - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog