[Dshield] unusual port 25 traffic

Scott Melnick smelnick at water.com
Thu Jan 26 23:29:23 GMT 2006


Are you positive you have SMTP relay off on your email server?
If it is off then it will be difficult to tell until you get a packett
capture. Im not sure what kind of Firewall you are using, but enabling
application inspection will stop anything that is abnormal on port 25.

Scott



> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Robert Ungemach
> Sent: Wednesday, January 25, 2006 4:09 PM
> To: list at lists.dshield.org
> Subject: [Dshield] unusual port 25 traffic
> 
>  Has anyone seen anything like this one.
> 
> We are receiving large bursts of port 25 traffic to our smtp gateway
> server.  The source servers are 85.197.143.118,
host-navab6-21.navab.net
> (80.84.35.21, host-navab6-242.navab.net (80.84.35.242), and
> xDSL-43-171.citynetnassjo.se (80.84.43.171).
> 
> The connect on port 25 and burst a send/receive.  Between 7-12 gig of
> data in both directions.  The last record of throughput is about
35mbps
> in both directions. (errors are recorded on both the inside and
outside
> interfaces.) This burst maxes out our border router CPU, a Cisco 2821,
> to the point were the router becomes unresponsive and we loose
internet
> connectivity. This generate a high volume of input errors and ignored
> packets on the interface.  We removed BGP in an attempt to keep us up
in
> the internet.  We have checked everything under the hood and had the
> configs on all equipment double-checked.
> 
> We have a TAC case open, but cannot find an issue with the hardware,
we
> have replaced it just in case.
> 
> Our IPS doesn't report anything associated with these addresses.  We
> have searched our smtp logs and cannot find an entry showing we
received
> email from the source IP addresses.
> 
> Yet another interesting point, the traffic between these host is
fairly
> close in both directions, which is not typical for our inbound smtp.
> Usually it is mostly a one-sided conversation.  If we receive 12.0 GB
of
> data we transmit back 11.75GB of data.  This is recorded via netflows.
> 
> We have scanned the boxes with AV, scanned with Nessus, we can seem to
> find them compromised.
> 
> Sniffer has been set up and we are waiting for another burst.  We
cannot
> find a pattern to the traffic.  We can go a couple of
days/hours/minutes
> before another burst.
> 
> Any thoughts greatly appreciated.
> 
> Robert Ungemach
> Sr. Network Engineer
> CTX Mortgage Company, LLC
> 214.758.7741 - Office
> 
> Communications Group -
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list