SMTP server (How can I find out the real source of an attack)

[MrG <p2mask2_xti () yahoo com>]

1.I have a SMTP server (behind my FW) who constantly
(>7 times per second) is trying to establish a TCP=25
session to a host on the internet which is not a SMTP
server (Host_A).
2.Host_A administrator let me know about this
behavior.
3.Host_A administrator implement a filter to reject
packets form my SMTP server
4.I verified on my FW this type of activity
5.With an sniffer between my FW internal card and my
SMTP server I verified that constantly (at least 7
times per second) there is traffic between my SMTP
server and Host_A.     Always 9 frames, same size,
same number of bytes (the set up of the connection +
the reject from Host_A + the quit command from my SMTP
server)
6.I disconnect from the network my SMTP server

I know that my SMTP server  has been compromise but
how can I find out exactly the root of the problem. I
really would like to know how I have been attack.

Can someone give me a hint how to start looking at. I
already look at several sites trying to find this but
so far I haven't got any luck 

All feed back is appreciate. Thanks in advance

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com