[plug] open relay
Jon Miller
jlmiller at mmtnetworks.com.au
Tue Jul 29 20:21:51 WST 2003
eth1 is an external interface it's actually a nic connected to the
routers ethernet interface (3.254).
203.153.224.10 is at our ISP. At first I thought our mail servers was
spitting this out, but after checking their logs there is no evidence of
any of this traffic in the maillogs.
I'm capturing packets to see what's going on.
using ethereal -i eth1 -V -w mmtcap not port ssh and not port 6789 and
not port 6800
Thanks
Jon
On Tue, 2003-07-29 at 16:03, Craig Ringer wrote:
> > 192.168.3.1 is on your network, I guess. The SMTP HELO command is
> > issued by the SMTP client at the start of a mail transaction. So this
> > looks like something on your network sending mail out.
> >
> > I'd have a close look at 192.168.3.1 to see why it's doing this.
>
> That's what I first thought, but then I saw that it's (a) on eth1, which
> is commonly used for the external interface, and (b) connecting to
> 203.153.224.10 not the internal IP of the server. I suspected spoofing,
> but if it's spoofed how is it setting up a connection, it can't recieve
> any ACKs?!? The addr is non-routable, so unless you have an incredible
> chain of misconfigured routers between you and the sender, it can't be a
> real IP.
>
> Of course, if eth1 is your internal LAN interface then yeah, it's most
> likely an internal host infected with something nasty.
>
> Frankly, this is beyond me, but maybe someone else can help out...
>
> If you could send a tcpdump with all the rest of the sesion in it too,
> that'd be helpful.
>
> tcpdump -i eth0 src 192.168.3.1 or dst 192.168.3.1
>
> would be the command to use. Nobody on the list wants to see your legit
> mail or SSH traffic!
>
> Craig Ringer
>
--
Jon Miller <jlmiller at mmtnetworks.com.au>
MMT Networks Pty Ltd
More information about the plug
mailing list