Slashdot scanning port 143

Hi

I've been tearing my hair out for the past few days wondering why I get
connection refused when I try to access slashdot.org.
I was just going through some logs when I noticed slashdot.org has been
scanning my port 143 (and has been blocked by portsentry) so I assumed it
was portsentry's fault so I added slashdot's ip to portsentry.ignore,
restarted portsentry, then flush iptables and reinitialised it.
I still can't access slashdot.org but I can access linux.slashdot.org,
games.slashdot.org and others but not the main page.

Why would they be scanning my port 143 in the first place? Checking to see
if I'm running an imap server and blocking my access if I am?

It could still be my fault though I've cleared out portsentry and
iptables. Anything else I've missed?

Cheers!

--
Jafar Calley
Producer - http://moonlife-records.com
--------------------------------------
See the latest Mars and Saturn images
http://fatcat.homelinux.org

jafar <(E-Mail Removed)> wrote:
> scanning my port 143 (and has been blocked by portsentry) so I assumed it

That's ridiculous. Why should one need to have an open port (wan -> lan)
to conntect to an external http server?

I'm behind a completely closed firewall and have no, zilch, nada problems
to reach 'slashdot.org'. Everything else would make me _very_ suspicious.

Uli


--
"The original point and click interface was a Smith & Wesson."

jafar <(E-Mail Removed)> wrote:
> Hi
>
> I've been tearing my hair out for the past few days wondering why I get
> connection refused when I try to access slashdot.org.
> I was just going through some logs when I noticed slashdot.org has been
> scanning my port 143 (and has been blocked by portsentry) so I assumed it

Are you positive that it really is slashdot.org, or is merely an IP address
with a reversal of slashdot.org?

--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC

On Sun, 24 Jul 2005 01:20:40 +0200, Uli Wachowitz wrote:

> jafar <(E-Mail Removed)> wrote:
>> scanning my port 143 (and has been blocked by portsentry) so I assumed it
>
> That's ridiculous. Why should one need to have an open port (wan -> lan)
> to conntect to an external http server?
>
> I'm behind a completely closed firewall and have no, zilch, nada problems
> to reach 'slashdot.org'. Everything else would make me _very_ suspicious.

I have it open so I can access my mail externally with squirrelmail. If
there is a better way of doing things I'm all ears.

--
Jafar Calley
Producer - http://moonlife-records.com
--------------------------------------
See the latest Mars and Saturn images
http://fatcat.homelinux.org

In message <(E-Mail Removed)>, jafar wrote:

> Hi
>
> I've been tearing my hair out for the past few days wondering why I get
> connection refused when I try to access slashdot.org.
> I was just going through some logs when I noticed slashdot.org has been
> scanning my port 143 (and has been blocked by portsentry) so I assumed it
> was portsentry's fault so I added slashdot's ip to portsentry.ignore,
> restarted portsentry, then flush iptables and reinitialised it.
> I still can't access slashdot.org but I can access linux.slashdot.org,
> games.slashdot.org and others but not the main page.
>
> Why would they be scanning my port 143 in the first place? Checking to see
> if I'm running an imap server and blocking my access if I am?
>
Well, it doesn't happen here. I just put ethereal up to see what's happening
on port 143 and there's no activity as I connect to slashdot.org.
--
Dave
mail da (E-Mail Removed) (without the space)
http://www.llondel.org/
So many gadgets, so little time...

jafar wrote:
> On Sun, 24 Jul 2005 01:20:40 +0200, Uli Wachowitz wrote:
>
>> jafar <(E-Mail Removed)> wrote:
>>> scanning my port 143 (and has been blocked by portsentry) so I assumed it
>> That's ridiculous. Why should one need to have an open port (wan -> lan)
>> to conntect to an external http server?
>>
>> I'm behind a completely closed firewall and have no, zilch, nada problems
>> to reach 'slashdot.org'. Everything else would make me _very_ suspicious.
>
> I have it open so I can access my mail externally with squirrelmail. If
> there is a better way of doing things I'm all ears.

Is Squirrelmail running on the same machine as the IMAP server? If so,
then the IMAP port does not have to open to all, it would be accessible
through localhost.


Paul

Frank Sweetser wrote:

> Are you positive that it really is slashdot.org, or is merely an IP
> address with a reversal of slashdot.org?

Be sure to query the actual slashdot.org DNS servers when you check, in case
your DNS cache has been "poisoned".

- Andrew

On Sun, 24 Jul 2005 17:40:59 +0000, Paul Black wrote:

> Is Squirrelmail running on the same machine as the IMAP server? If so,
> then the IMAP port does not have to open to all, it would be accessible
> through localhost.

Yes. The machine it is running on is a combined web/email server and
router. Are you saying I don't need the port open to access squirrelmail
from outside? Would squirrelmail work with just port, 80(http) and
443(https) open for the webmail interface?

--
Jafar Calley
Producer - http://moonlife-records.com
--------------------------------------
See the latest Mars and Saturn images
http://fatcat.homelinux.org

On Sun, 24 Jul 2005 18:16:12 -0400, Andrew Gideon wrote:

> Be sure to query the actual slashdot.org DNS servers when you check, in case
> your DNS cache has been "poisoned".

It may have been that as a traceroute to slashdot.org stopped at the
router. I just did a reboot of the server and it's ok now.
For the future, how do I flush the dns cache?
Cheers.

--
Jafar Calley
Producer - http://moonlife-records.com
--------------------------------------
See the latest Mars and Saturn images
http://fatcat.homelinux.org

jafar wrote:
> On Sun, 24 Jul 2005 17:40:59 +0000, Paul Black wrote:
>
>> Is Squirrelmail running on the same machine as the IMAP server? If so,
>> then the IMAP port does not have to open to all, it would be accessible
>> through localhost.
>
> Yes. The machine it is running on is a combined web/email server and
> router. Are you saying I don't need the port open to access squirrelmail
> from outside? Would squirrelmail work with just port, 80(http) and
> 443(https) open for the webmail interface?

Correct. The Squirrelmail configuration is to use 127.0.0.1. You could
check the log files to confirm - i.e. that an IMAP access is made from
127.0.0.1.

Paul