RE: Odd traffic generated from Exchange Server

From: Portnoy, Gary (gportnoyat_private)
Date: Wed Oct 24 2001 - 12:18:23 PDT

  • Next message: Paul Speck: "Security Question"

     Anthony,
    
    I believe it is the new-email notification going out from the Exchange
    server to all the clients.  Basically, Exchange uses a UDP packet to tell
    the Outlook client that a new email has come in and to refresh the view.
    Like Ryan Hill said in his reply, you can customize the TCP ports that
    Exchange uses for MTA, IS, DS, etc connections, but unfortunately the UDP
    mail notification is completely random and can't be customized.
    
    Later
    -Gary-
    
    -----Original Message-----
    From: Caruso, Anthony J.
    To: INCIDENTSat_private
    Sent: 10/24/01 12:53 PM
    Subject: Odd traffic generated from Exchange Server
    
    Hi All:
    
    Outbound ACLs on my router has started picking up traffic originating
    from
    one of my Exchange boxes:
    
    Oct 23 10:12:18 router1 list 101 denied udp 10.1.1.1(2643) ->
    192.50.50.51(1046)
    
    The source port is usually different and the destination port oscillates
    between 1046 and 1171.  The traffic occurs about every 15 min in quick
    bursts (incremental source ports), I am running a sniff now.
    
    Any ideas?
    
    Exchange 5.5 Sp3, NT 4.0SP6a no additional patches.  Internal RFC 1918
    addressed Exchange server.
    
    I am putting out an altogether different fire right now, but I will post
    traces as I get more info.
    
    Thanks.
    -Tony
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 12:33:00 PDT