Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Excess SMTP traffic to non-mail host

From: dr john halewood <john () frumious unidec co uk>
Date: Wed, 27 Mar 2002 16:41:06 +0000
On Wednesday 27 March 2002 12:10 pm, Basil Hussain wrote:

Hi,

I have recently noticed a rather worrying trend appearing in the logs from
our firewall here. Over the past fortnight or so, there has been a fairly
steady increase in the amount of port 25 (SMTP) connection attempts to a
host which isn't (and never has been) a mail host. This host only serves a
web site, the domain's e-mail being served by another host on a different
IP address.

[...]

Has anyone any clues what's going on here? Misconfigured remote mail hosts?
Missing MX records somewhere out there? DDoS against mail hosts?


Probably you're getting hit by idiotic spamming software. I've seen this many 
times where you have DNS entries like
www.test.com.           IN      A       192.168.0.1
mail.test.com.          IN      A       192.168.0.2
test.com.               IN      MX      mail.test.com.
test.com.               IN      A       192.168.0.1

Stupid mail programs often ignore the MX record (mail.test.com) for email and 
use test.com's IP address instead. The geographical pattern you report also 
suggests it's bad spambots as well ;-)

cheers
john

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: