It's not a virus, but I do think there is traffic here that must not conform to *some* RFC out there. Here's some more information. We have:
-Connect to hotmail SMTP server, port 25, from our server's highPort# to deliver a message -Various session data to and from 25 and highPort#, just as all of you said it would Then what I think may be the last packet of a session, having the ACK and FIN set returns from a different IP address to our server. It contains "Response: 221 Service closing transmission channel" and does not get through our firewall's state tables since the address is not the same as the origional. Has anybody seen this before? I really want to block this, but when I do I see mail delivery failures (at least for a while until the MTA tries another hotmail server). Thanks for reading this- Matt Naseer Bhatti wrote: >Matt. The server's SMTP port 25 always tries to connect to remote machines >to other random ports. but in your case you are having traffic from remote >machine's SMTP at your high ports. This seems suspicious. Nimda worm could >also be one reason for this. You try to block the traffic, I am sure your >SMTP box will continue to work normal. > >>I am seeing traffic regularly coming from remote servers' port 25 >>destined to our servers' high ports, generally in the 1-3k range. Is >>this normal? I plan to block it all, from what I understand SMTP goes >>only from 25 to 25, but if that's the case I can't figure out what this >>would be. >> > >>According to our IPFilter logs the traffic generally has -AFP set, >>please let me know off-line if a tidbit of info I could provide can help >>you answer my question. >> > >Naseer >
