Security Incidents mailing list archives

Excess SMTP traffic to non-mail host

From: "Basil Hussain" <basil.hussain () kodakweddings com>
Date: Wed, 27 Mar 2002 12:10:39 -0000

Hi,

I have recently noticed a rather worrying trend appearing in the logs from
our firewall here. Over the past fortnight or so, there has been a fairly
steady increase in the amount of port 25 (SMTP) connection attempts to a
host which isn't (and never has been) a mail host. This host only serves a
web site, the domain's e-mail being served by another host on a different IP
address.

This isn't really a problem for the server on the receiving end, as our
firewall is blocking the traffic and rejecting these connections. However,
I'm getting worried that this is either some kind of major cock-up somewhere
or some kind of bizarre DDoS attempt.

To give you an idea of the traffic levels, here's the totals on connections
over the past 18 days:

2002-03-08: 145
2002-03-09: 169
2002-03-10: 130
2002-03-11: 110
2002-03-12: 138
2002-03-13: 137
2002-03-14: 294
2002-03-15: 240
2002-03-16: 168
2002-03-17: 440
2002-03-18: 1044
2002-03-19: 1635
2002-03-20: 2746
2002-03-21: 3961
2002-03-22: 5618
2002-03-23: 8962
2002-03-24: 9218
2002-03-25: 8644
2002-03-26: 11430

As you can see, the figures have really shot up over the past week.

I've done a bit of analysis. The traffic originates from around 40-60
different IP address, with the top 3 usually the same and being located in
Korea, China, etc. Also, there seems to be no significant pattern on the
timing of this traffic. It's constant, 24-hours a day - about 300-500
connections per hour yesterday (26th) specifically. One other thing to note
is that the host this traffic is directed at is the only one in our IP block
receiving this traffic. Other hosts aren't getting it.

Has anyone any clues what's going on here? Misconfigured remote mail hosts?
Missing MX records somewhere out there? DDoS against mail hosts?

Regards,

Basil Hussain



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Excess SMTP traffic to non-mail host Basil Hussain (Mar 27)
- Re: Excess SMTP traffic to non-mail host dr john halewood (Mar 27)
- Re: Excess SMTP traffic to non-mail host Chris Wilkes (Mar 27)
- <Possible follow-ups>
- RE: Excess SMTP traffic to non-mail host NESTING, DAVID M (SBCSI) (Mar 27)