[Dshield] unusual port 25 traffic

Stephane Grobety security at admin.fulgan.com
Fri Jan 27 13:58:00 GMT 2006


Without a packet dump, it's pretty hard to tell what is happening.
Here is, however, something that could result in what you're seeing:

A spammer has harvested a pretty high number of email addresses
from your domain or is simply using a computer-generated list of
likely inbox names. He is using a few zombie machines to relay to you.

Now, theses zombies are pretty single-minded: they will open a TCP
connection and push the content of their buffer without bothering
reading the answer from the server.

Now, your server refuses the message. Maybe the sender in tagged by a
RBL, maybe he's trying to relay and the server rejects, it's
impossible to know without checking the SMTP logs (or packet dump).
So what he does is send back an error message when the error is
detected. BUT, since the client doesn't bother checking for error, it
continues to send lines after line of mail. And each new line (CR+LF)
causes the server to send a new error message.

The result is that you see nearly as much outbound traffic than
inbound and yet see no mail routed.

I have seen that happen a few time at my gateway (without reaching the
same proportion). It didn't actually grew into a problem because the
server is configured to drop the connection after 5 errors and tarpit
it for 5 minutes (i.e. not accept any more connections from that IP).

That's one possibility I see.
Good luck,
Stephane



More information about the list mailing list