Re: gigantic smtp transfer

[Rick Murphy <rmurphy () mitretek org>]

At 04:26 PM 2/19/2002 -0600, Zill, Greg wrote:
> > I sporadically get transfers of this size (rcvd=) showing up and can't 
> believe this transaction can complete in 03:45...has anyone ever seen 
> this before? Does this indicate that the sender was trying to shove this 
> much data over repeatedly and unsuccessfully?
> >
> > Feb 18 16:49:55.386 FIREWALL smtp[13328]: 228 smtp: can't connect to 
> 195.146.226.131 port 25 (Connection timed out)
> >
> > Feb 18 16:49:55.387 FIREWALL smtp[13328]: 121 Statistics: 
> duration=224.61 id=49Jhm rcvd=18446744073709551615 srcif=qfe1 
> src=10.21.2.20/1397 svsrc=firewall_ip dstif=hme0 dst=195.146.226.131/25 
> dstname=gate-131.226.146.195.nordnet.fr proto=smtp rule=12 (Cannot 
> connect to server)

It's much more likely that your smtp software is suffering from an 
uninitialized counter. You never connected (according to the first 
message), so you couldn't have received anything. Of course, since you 
didn't specify what firewall or smtp software this is, I'm guessing, but 
there's very little chance that 'rcvd' counter reflects reality.
        -Rick

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards