"Previously Guido van Rooij said:" > > Mike Kienenberger wrote: > > > > VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands > > EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands > > " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz comman ds > > > > deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYSLOG > > fail /usr/adm/*SYSLOG.auth check for failed login > > attempts (passwords at the login prompt; brute force attacks, etc) > > > > Does anyone have other things you look for on a regular basis? > > It is in general a bad idea to scan for interesting things. What should > be done in stead is filter out the non-interesting ones. > > -Guido That is excellent advice, but there is a basic flaw in it. If a line containing a disguised non-interesting keyword (in a From address, etc) is filtered out in a line with a red-flag keyword in it you will never see the line. I don't have a solution other than using both methods together. Boyd -- =Boyd Johnson boydj@brooktree.com Rockwell Corp, Brooktree Div, San Diego, Ca.=