Re: TCP characteristics of SMTP sessions?
This is a discussion on Re: TCP characteristics of SMTP sessions? within the mailing.postfix.users forums, part of the Mail Servers and Related category; Smells like a port scan. Are you running portsentry? You might want to look into it if you aren't. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-04-2004
|
|||
|
|||
Re: TCP characteristics of SMTP sessions?
Smells like a port scan. Are you running portsentry? You might want
to look into it if you aren't. Good luck, Paul > > Apologies for this OT posting, but I figured that this list has a lot of > expertise in the area. Please feel free to point me to a more appropriate > forum. > > Almost daily, my mail gateway gets hammered with "empty" smtp connections > from a certain netblock. They show up in my mail logs as > > Feb 4 16:57:56 localhost postfix/smtpd[25202]: connect from unknown[i.p.add.ress] > Feb 4 16:57:57 localhost postfix/smtpd[25202]: disconnect from unknown[i.p.add.ress] > > I decided to take a look at the actual TCP/IP characteristics with the > Solaris snoop command, and the following is a snoop excerpt of three such > smtp sessions: > > 15 1.93961 i.p.add.ress -> localhost SMTP C port=1038 > 16 1.03819 i.p.add.ress -> localhost SMTP C port=1038 > 17 0.40070 i.p.add.ress -> localhost SMTP C port=1038 HELO local\r\n > 18 0.42794 i.p.add.ress -> localhost SMTP C port=1038 QUIT\r\n > 19 0.01213 i.p.add.ress -> localhost SMTP C port=1038 > 20 0.56096 i.p.add.ress -> localhost SMTP C port=1038 > 21 1.40232 i.p.add.ress -> localhost SMTP C port=1045 > 22 0.66975 i.p.add.ress -> localhost SMTP C port=1045 > 23 0.79027 i.p.add.ress -> localhost SMTP C port=1045 > 24 0.00198 i.p.add.ress -> localhost SMTP C port=1045 HELO local\r\n > 25 0.80971 i.p.add.ress -> localhost SMTP C port=1045 QUIT\r\n > 26 0.00118 i.p.add.ress -> localhost SMTP C port=1045 > 27 0.47439 i.p.add.ress -> localhost SMTP C port=1045 > 28 0.90633 i.p.add.ress -> localhost SMTP C port=1057 > 29 1.21437 i.p.add.ress -> localhost SMTP C port=1057 > 30 1.64518 i.p.add.ress -> localhost SMTP C port=1057 HELO local\r\n > 31 0.75292 i.p.add.ress -> localhost SMTP C port=1057 QUIT\r\n > 32 0.08130 i.p.add.ress -> localhost SMTP C port=1057 > 33 0.17068 i.p.add.ress -> localhost SMTP C port=1057 > > Now, one thing I find peculiar here is the increasing source port > number - 1038, 1045, 1057, up to the 2000s and 3000s. As my knowledge > of TCP/IP is abysmal, I was wondering: > > - has anyone seen the likes before? :) > - is there anything significant in this port number increase, i.e. > can it be attributed to a known piece of malware on the connecting > client, or would ordinary, standard mail clients exhibit the same > characteristic (for consecutive smtp sessions)? > > Thanks :) > > 
|
Linear Mode
