[Dshield] unusual port 25 traffic
smelnick at water.com
Thu Jan 26 23:29:23 GMT 2006
Are you positive you have SMTP relay off on your email server?
If it is off then it will be difficult to tell until you get a packett
capture. Im not sure what kind of Firewall you are using, but enabling
application inspection will stop anything that is abnormal on port 25.
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Robert Ungemach
> Sent: Wednesday, January 25, 2006 4:09 PM
> To: list at lists.dshield.org
> Subject: [Dshield] unusual port 25 traffic
> Has anyone seen anything like this one.
> We are receiving large bursts of port 25 traffic to our smtp gateway
> server. The source servers are 126.96.36.199,
> (188.8.131.52, host-navab6-242.navab.net (184.108.40.206), and
> xDSL-43-171.citynetnassjo.se (220.127.116.11).
> The connect on port 25 and burst a send/receive. Between 7-12 gig of
> data in both directions. The last record of throughput is about
> in both directions. (errors are recorded on both the inside and
> interfaces.) This burst maxes out our border router CPU, a Cisco 2821,
> to the point were the router becomes unresponsive and we loose
> connectivity. This generate a high volume of input errors and ignored
> packets on the interface. We removed BGP in an attempt to keep us up
> the internet. We have checked everything under the hood and had the
> configs on all equipment double-checked.
> We have a TAC case open, but cannot find an issue with the hardware,
> have replaced it just in case.
> Our IPS doesn't report anything associated with these addresses. We
> have searched our smtp logs and cannot find an entry showing we
> email from the source IP addresses.
> Yet another interesting point, the traffic between these host is
> close in both directions, which is not typical for our inbound smtp.
> Usually it is mostly a one-sided conversation. If we receive 12.0 GB
> data we transmit back 11.75GB of data. This is recorded via netflows.
> We have scanned the boxes with AV, scanned with Nessus, we can seem to
> find them compromised.
> Sniffer has been set up and we are waiting for another burst. We
> find a pattern to the traffic. We can go a couple of
> before another burst.
> Any thoughts greatly appreciated.
> Robert Ungemach
> Sr. Network Engineer
> CTX Mortgage Company, LLC
> 214.758.7741 - Office
> Communications Group -
> Learn about Intrusion Detection in Depth from the comfort of your own
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list