Bluehost.com Web Hosting $6.95

TCP characteristics of SMTP sessions?

This is a discussion on TCP characteristics of SMTP sessions? within the mailing.postfix.users forums, part of the Mail Servers and Related category; Apologies for this OT posting, but I figured that this list has a lot of expertise in the area. Please ...


Go Back   Usenet Forums > Mail Servers and Related > mailing.postfix.users

Reload this Page TCP characteristics of SMTP sessions?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-04-2004
Lars Hecking
 
Posts: n/a
Default TCP characteristics of SMTP sessions?

Apologies for this OT posting, but I figured that this list has a lot of
expertise in the area. Please feel free to point me to a more appropriate
forum.

Almost daily, my mail gateway gets hammered with "empty" smtp connections
from a certain netblock. They show up in my mail logs as

Feb 4 16:57:56 localhost postfix/smtpd[25202]: connect from unknown[i.p.add.ress]
Feb 4 16:57:57 localhost postfix/smtpd[25202]: disconnect from unknown[i.p.add.ress]

I decided to take a look at the actual TCP/IP characteristics with the
Solaris snoop command, and the following is a snoop excerpt of three such
smtp sessions:

15 1.93961 i.p.add.ress -> localhost SMTP C port=1038
16 1.03819 i.p.add.ress -> localhost SMTP C port=1038
17 0.40070 i.p.add.ress -> localhost SMTP C port=1038 HELO local\r\n
18 0.42794 i.p.add.ress -> localhost SMTP C port=1038 QUIT\r\n
19 0.01213 i.p.add.ress -> localhost SMTP C port=1038
20 0.56096 i.p.add.ress -> localhost SMTP C port=1038
21 1.40232 i.p.add.ress -> localhost SMTP C port=1045
22 0.66975 i.p.add.ress -> localhost SMTP C port=1045
23 0.79027 i.p.add.ress -> localhost SMTP C port=1045
24 0.00198 i.p.add.ress -> localhost SMTP C port=1045 HELO local\r\n
25 0.80971 i.p.add.ress -> localhost SMTP C port=1045 QUIT\r\n
26 0.00118 i.p.add.ress -> localhost SMTP C port=1045
27 0.47439 i.p.add.ress -> localhost SMTP C port=1045
28 0.90633 i.p.add.ress -> localhost SMTP C port=1057
29 1.21437 i.p.add.ress -> localhost SMTP C port=1057
30 1.64518 i.p.add.ress -> localhost SMTP C port=1057 HELO local\r\n
31 0.75292 i.p.add.ress -> localhost SMTP C port=1057 QUIT\r\n
32 0.08130 i.p.add.ress -> localhost SMTP C port=1057
33 0.17068 i.p.add.ress -> localhost SMTP C port=1057

Now, one thing I find peculiar here is the increasing source port
number - 1038, 1045, 1057, up to the 2000s and 3000s. As my knowledge
of TCP/IP is abysmal, I was wondering:

- has anyone seen the likes before? :)
- is there anything significant in this port number increase, i.e.
can it be attributed to a known piece of malware on the connecting
client, or would ordinary, standard mail clients exhibit the same
characteristic (for consecutive smtp sessions)?

Thanks :)

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 08:18 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0