[plug] open relay
James Devenish
devenish at guild.uwa.edu.au
Tue Jul 29 20:33:53 WST 2003
Hi,
In message <1059481310.2186.2893.camel at jlmpc>
on Tue, Jul 29, 2003 at 08:21:51PM +0800, Jon Miller wrote:
> eth1 is an external interface it's actually a nic connected to the
> routers ethernet interface (3.254).
> 203.153.224.10 is at our ISP.
[...]
> 145.560000 192.168.3.1 -> 203.153.224.10 SMTP Command: HELO mail.sky-maps.com
So where is 192.168.3.1 amongst all of this? How is it that 192.168.3.1
wants to contact 203.153.224.10 and pretend to be "mail.sky-maps.com"
(for example)? Perhaps time to call in some experts to visit your site?
Are you sure the host 192.168.3.1 has not been compromised (also: could
the problem be something as obscure as running a web script that allows
people to send mail)?
As Craig was saying, it should not be physically possible for
192.168.3.1 to talk directly to public IP addresses (e.g. because
203.153.224.10 should have no way of sending packets back to
192.168.3.1). You must have some machine that is modifying (e.g. NAT)
outbound packets from 192.168.3.1 so that they originate from a
publicly-routeable address (unless you have a misconfiguration).
We are suffering from a lack of information about your setup.
More information about the plug
mailing list