Security Incidents mailing list archives
Re: Excess SMTP traffic to non-mail host
From: dr john halewood <john () frumious unidec co uk>
Date: Wed, 27 Mar 2002 16:41:06 +0000
On Wednesday 27 March 2002 12:10 pm, Basil Hussain wrote:
Hi, I have recently noticed a rather worrying trend appearing in the logs from our firewall here. Over the past fortnight or so, there has been a fairly steady increase in the amount of port 25 (SMTP) connection attempts to a host which isn't (and never has been) a mail host. This host only serves a web site, the domain's e-mail being served by another host on a different IP address.
[...]
Has anyone any clues what's going on here? Misconfigured remote mail hosts? Missing MX records somewhere out there? DDoS against mail hosts?
Probably you're getting hit by idiotic spamming software. I've seen this many times where you have DNS entries like www.test.com. IN A 192.168.0.1 mail.test.com. IN A 192.168.0.2 test.com. IN MX mail.test.com. test.com. IN A 192.168.0.1 Stupid mail programs often ignore the MX record (mail.test.com) for email and use test.com's IP address instead. The geographical pattern you report also suggests it's bad spambots as well ;-) cheers john ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Excess SMTP traffic to non-mail host Basil Hussain (Mar 27)
- Re: Excess SMTP traffic to non-mail host dr john halewood (Mar 27)
- Re: Excess SMTP traffic to non-mail host Chris Wilkes (Mar 27)
- <Possible follow-ups>
- RE: Excess SMTP traffic to non-mail host NESTING, DAVID M (SBCSI) (Mar 27)