[plug] open relay

James Devenish devenish at guild.uwa.edu.au
Tue Jul 29 20:33:53 WST 2003


Hi,

In message <1059481310.2186.2893.camel at jlmpc>
on Tue, Jul 29, 2003 at 08:21:51PM +0800, Jon Miller wrote:
> eth1 is an external interface it's actually a nic connected to the
> routers ethernet interface (3.254).
> 203.153.224.10 is at our ISP.
[...]
> 145.560000  192.168.3.1 -> 203.153.224.10 SMTP Command: HELO mail.sky-maps.com

So where is 192.168.3.1 amongst all of this? How is it that 192.168.3.1
wants to contact 203.153.224.10 and pretend to be "mail.sky-maps.com"
(for example)? Perhaps time to call in some experts to visit your site?
Are you sure the host 192.168.3.1 has not been compromised (also: could
the problem be something as obscure as running a web script that allows
people to send mail)?

As Craig was saying, it should not be physically possible for
192.168.3.1 to talk directly to public IP addresses (e.g. because
203.153.224.10 should have no way of sending packets back to
192.168.3.1). You must have some machine that is modifying (e.g. NAT)
outbound packets from 192.168.3.1 so that they originate from a
publicly-routeable address (unless you have a misconfiguration).
We are suffering from a lack of information about your setup.




More information about the plug mailing list