Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Weird SMTP issue

From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Wed, 15 Sep 2004 00:51:08 -0700

Have been having a weird issue with SMTP traffic someone might have 
some suggestions about.

Recently installed an SMTP MTA as an antispam box, running Linux and 
Brightmail anti-spam software.  It is configured as the primary MX 
for the domains it handles, and forwards all legit messages to one of 
2 final destination MTAs.  It also sits behind a Netscreen 25 
firewall. (401_xx firmware) 

The Netscreen is configured to allow all outgoing traffic from the 
Brightmail box and block incoming traffic by default.  SMTP incoming 
traffic to the Brightmail box is allowed.

When the Brightmail system was put in service and configured to 
forward certain spam messages to a particular email account, I 
started getting constant Netscreen messages warning of "Port Scans" 
originating from the destination MTA back to the Brightmail box.  
Inevitably these "Port Scans" originate on port 25 on the destination 
MTA and the are sent to a high-numbered port on the Brightmail box.

The only thing I can think of is that the stateful firewall's session 
timeout is expiring and some very slow responses are looking like new 
connection attempts, so the firewall is flagging them as "port scan" 
attempts.  But I never see this kind of problem with regular (non-
spam) email traffic forwarded from the Brightmail box to the same 
MTAs, and rarely at any other time. (the session timeouts are set to 
default values)

As a test I completely reconfigured which MTA that the Brightmail box 
is forwarding these messages to, using a completely different MTA 
software on a completely different OS, and I still see the same 
problem.

Anyone have any ideas on where to look or how best to troubleshoot 
this?

TIA,

Phil



-- 
Philip J. Koenig                                       
pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New 
Millenium


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: