RE: Odd traffic generated from Exchange Server

["Portnoy, Gary" <gportnoy () belenosinc com>]

 Anthony,

I believe it is the new-email notification going out from the Exchange
server to all the clients.  Basically, Exchange uses a UDP packet to tell
the Outlook client that a new email has come in and to refresh the view.
Like Ryan Hill said in his reply, you can customize the TCP ports that
Exchange uses for MTA, IS, DS, etc connections, but unfortunately the UDP
mail notification is completely random and can't be customized.

Later
-Gary-

-----Original Message-----
From: Caruso, Anthony J.
To: INCIDENTS () securityfocus com
Sent: 10/24/01 12:53 PM
Subject: Odd traffic generated from Exchange Server

Hi All:

Outbound ACLs on my router has started picking up traffic originating
from
one of my Exchange boxes:

Oct 23 10:12:18 router1 list 101 denied udp 10.1.1.1(2643) ->
192.50.50.51(1046)

The source port is usually different and the destination port oscillates
between 1046 and 1171.  The traffic occurs about every 15 min in quick
bursts (incremental source ports), I am running a sniff now.

Any ideas?

Exchange 5.5 Sp3, NT 4.0SP6a no additional patches.  Internal RFC 1918
addressed Exchange server.

I am putting out an altogether different fire right now, but I will post
traces as I get more info.

Thanks.
-Tony

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com