[plug] open relay
Craig Ringer
craig at postnewspapers.com.au
Tue Jul 29 16:03:14 WST 2003
> 192.168.3.1 is on your network, I guess. The SMTP HELO command is
> issued by the SMTP client at the start of a mail transaction. So this
> looks like something on your network sending mail out.
>
> I'd have a close look at 192.168.3.1 to see why it's doing this.
That's what I first thought, but then I saw that it's (a) on eth1, which
is commonly used for the external interface, and (b) connecting to
203.153.224.10 not the internal IP of the server. I suspected spoofing,
but if it's spoofed how is it setting up a connection, it can't recieve
any ACKs?!? The addr is non-routable, so unless you have an incredible
chain of misconfigured routers between you and the sender, it can't be a
real IP.
Of course, if eth1 is your internal LAN interface then yeah, it's most
likely an internal host infected with something nasty.
Frankly, this is beyond me, but maybe someone else can help out...
If you could send a tcpdump with all the rest of the sesion in it too,
that'd be helpful.
tcpdump -i eth0 src 192.168.3.1 or dst 192.168.3.1
would be the command to use. Nobody on the list wants to see your legit
mail or SSH traffic!
Craig Ringer
More information about the plug
mailing list