[Dshield] unusual port 25 traffic

KrogNetix abuse at allover.ca
Thu Jan 26 21:47:54 GMT 2006

It seems strange that the burst (apparently) came from a domestic ADSL IP.
We have been seeing spammers are connecting via TCP 25 in bunches of 20-100
to try and confuse the anti-spam or "greylistng" system and allow for
successful delivery. Maybe this is a similar (only much larger) event like

M. McBride
Security Admin
Vancouver CA

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jean-Pierre Schwickerath
Sent: Thursday, January 26, 2006 10:41 AM
To: list at lists.dshield.org
Subject: [ABUSE] Re: [Dshield] unusual port 25 traffic

> We have scanned the boxes with AV, scanned with Nessus, we can seem to 
> find them compromised.
> Sniffer has been set up and we are waiting for another burst.  We 
> cannot find a pattern to the traffic.  We can go a couple of 
> days/hours/minutes before another burst.

can you dump the traffic's payload to see whether it's really smtp or
something else?


HILOTEC Engineering + Consulting GmbH
Energietechnik und Datensysteme
Tel: +41 34 402 74 00 - http://www.hilotec.com/
Learn about Intrusion Detection in Depth from the comfort of your own couch:

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list