Re: Excess SMTP traffic to non-mail host

From: dr john halewood (john@frumious.unidec.co.uk)
Date: 03/27/02


From: dr john halewood <john@frumious.unidec.co.uk>
To: "Basil Hussain" <basil.hussain@kodakweddings.com>, <incidents@securityfocus.com>
Date: Wed, 27 Mar 2002 16:41:06 +0000

On Wednesday 27 March 2002 12:10 pm, Basil Hussain wrote:
> Hi,
>
> I have recently noticed a rather worrying trend appearing in the logs from
> our firewall here. Over the past fortnight or so, there has been a fairly
> steady increase in the amount of port 25 (SMTP) connection attempts to a
> host which isn't (and never has been) a mail host. This host only serves a
> web site, the domain's e-mail being served by another host on a different
> IP address.
[...]
> Has anyone any clues what's going on here? Misconfigured remote mail hosts?
> Missing MX records somewhere out there? DDoS against mail hosts?

Probably you're getting hit by idiotic spamming software. I've seen this many
times where you have DNS entries like
www.test.com. IN A 192.168.0.1
mail.test.com. IN A 192.168.0.2
test.com. IN MX mail.test.com.
test.com. IN A 192.168.0.1

Stupid mail programs often ignore the MX record (mail.test.com) for email and
use test.com's IP address instead. The geographical pattern you report also
suggests it's bad spambots as well ;-)

cheers
john

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com