It's not a virus, but I do think there is traffic here that must not
conform to *some* RFC out there. Here's some more information. We have:
-Connect to hotmail SMTP server, port 25, from our server's highPort# to
deliver a message
-Various session data to and from 25 and highPort#, just as all
atever FW1 calls it, and increase the value.
Hope this helps,
Mickey
-Original Message-
From: Matt Simonsen [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 28, 2001 4:55 PM
To: Matt Simonsen
Cc: [EMAIL PROTECTED]
Subject: Re: Traffic from port 25 to high ports?
Wow - this was delay
It's normal SMTP traffic. SMTP mail flows from client high port to
server 25. An email server sending email to another server acts like a
client. If you don't allow your high port to connect to another
server's port 25, you won't be able to send any email.
Matt Simonsen wrote:
> I am seein
Mail doesn't usually go 25 -> 25. Usually its 1025+ (unprivileged
port) -> 25.
As far as I know.. this is probably mail traffic.. could be someone
scanning for an open relay mail server.
HTH,
.aaron.
Matt Simonsen wrote:
> I am seeing traffic regularly coming from remote servers' port 25
Well there might be a typical case of Port Forwarding which is typical of
ssh. For example I can say that forward all the traffic on port 25 of a
machine X to port 33543 of machine Y using SSH. Where in some cases X and Y
can be the same machine.
Cheers,
ag
Matt Simonsen wrote:
> I am
Wow - this was delayed. I have since found out that SMTP traffic goes
from a high port > 25 and then from 25 > the same high port. My firewall
is supposed to keep state - if it is I don't see why the packets are
missed by that. Perhaps they are changing the high port they are sent
back to? Is
Matt. The server's SMTP port 25 always tries to connect to remote machines
to other random ports. but in your case you are having traffic from remote
machine's SMTP at your high ports. This seems suspicious. Nimda worm could
also be one reason for this. You try to block the traffic, I am sure your