On Wednesday 27 March 2002 12:10 pm, Basil Hussain wrote: > Hi, > > I have recently noticed a rather worrying trend appearing in the logs from > our firewall here. Over the past fortnight or so, there has been a fairly > steady increase in the amount of port 25 (SMTP) connection attempts to a > host which isn't (and never has been) a mail host. This host only serves a > web site, the domain's e-mail being served by another host on a different > IP address. [...] > Has anyone any clues what's going on here? Misconfigured remote mail hosts? > Missing MX records somewhere out there? DDoS against mail hosts? Probably you're getting hit by idiotic spamming software. I've seen this many times where you have DNS entries like www.test.com. IN A 192.168.0.1 mail.test.com. IN A 192.168.0.2 test.com. IN MX mail.test.com. test.com. IN A 192.168.0.1 Stupid mail programs often ignore the MX record (mail.test.com) for email and use test.com's IP address instead. The geographical pattern you report also suggests it's bad spambots as well ;-) cheers john ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 09:43:19 PST