4

Using netstat -na I notice that I have a lot of connections like

tcp        0      0 XXX.XXX.XXX.XXX:25        YYY.YYY.YYY.YYY:13933     ESTABLISHED
tcp        0      0 XXX.XXX.XXX.XXX:25        ZZZ.ZZZ.ZZZ.ZZZ:9528     ESTABLISHED

Those are to addresses to USA, Brasil etc, despite that my server is located in UK.
Can that be some "illegal" activity, like spamming or something?

[root@myserver ~]# tcpdump port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:54:33.842388 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: S 3343584823:3343584823(0) win 8192 <mss 1360,nop,wscale 2,nop,nop,sackOK>
20:54:33.842431 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: S 583530268:583530268(0) ack 3343584824 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
20:54:33.904660 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 1 win 16660
20:54:34.036073 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: P 1:90(89) ack 1 win 46
20:54:34.304356 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 90 win 16637
20:54:34.304433 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: P 90:110(20) ack 1 win 46
20:54:34.568451 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 110 win 16632
Chris S
  • 77,337
  • 11
  • 120
  • 212
user48058
  • 853
  • 3
  • 10
  • 19
  • Can you post some wireshark dumps by any chance? – Natalie Adams Jul 18 '10 at 20:22
  • sure, i edited my original post – user48058 Jul 18 '10 at 20:42
  • You should check your mail server logs and you will be much wiser about what is happening. The location of these logs depends on your OS distribution and mail server software, which was not specified. Or you "tcpdump -s0 -A" to see the real time SMTP conversations as someone suggested. – snap Aug 02 '11 at 17:33
  • Give us more information. Is your server/computer a mail server? Or is it normal computer? Are you behind NAT or not? Why are you having 25 port open (if not for accepting emails)? Give us more background. – MadBoy Aug 02 '11 at 17:36

5 Answers5

11

Yes.

Or at least, it's being attempted. If you have port 25 open, you can be guaranteed someone's trying to relay mail through you. If you have port 80 open, you can be guaranteed someone's trying to exploit your site. If you have port 22 open, you can be guaranteed someone's trying to brute force you. Notice a pattern?

Lucky for you, they're almost entirely amateurish. Use tools like your log files, telnet, and tcpdump to verify that these are only attempts and you're not successfully being used to relay spam.

Matt
  • 933
  • 5
  • 12
  • on command tcpdump port 25, part of result is S 3343584823:3343584823(0) win 8192 , or ack 1 win 16660, etc. can you give me suggestion where to look next? – user48058 Jul 18 '10 at 20:00
  • Use the `-A -s 0` flags to get the entire packet. What you're looking for is to see if they're able to relay mail through you. You can also use telnet to try manually sending an email from various IPs. – Matt Jul 18 '10 at 20:59
  • how can i find which program or file or script is sending (or trying to send) emails? i do have some activity, that's for sure.... – user48058 Jul 27 '10 at 20:04
2

Port 25 is the standard port SMTP traffic runs on. If you intend for you system to be an email server than those might be legit servers trying to send you or your users email. If you do not intend your system to be an email server, figure out how to get port 25 turned off.

Historically email servers would be configured to politely send on email for other servers. Today this is bad, bad, bad. It's called being an open email relay. It would be wise for you to verify that you are not doing this. But, don't go to far and try to block port 25 traffic if you do mean to accept email from the outside world.

Banis
  • 166
  • 3
1

If you need it open, you need it open. Try to lock down who you accept smtp connections from. YOu can get an offsite spam/virus filter, which hosts the DNS MX recorded servers. Then only accetp smtp from their network.

Note that tcp port 587 is an RFC mail submission port.

singer
  • 11
  • 1
0

Have you an email server on this machine?
If not, close the port (firewall) and that should be sufficient.
If yes, then look in your mail.log (/var/log/mail.log) to see what is it happening there. It will say who connected and what was done.
If the IPs are trying to send a lot of email to unexistent users on your domain or to other domains or other "ilegal" activity (blocked or successful) I would drop them in the firewall if they do this a lot and everyday but it's only a personal choice, not a necessary option and you cannot stay there all the day looking at all the connections to block everybody!!!

After that, I think you should investigate to see if your e-mail is relaying e-mail for who ask for it or not. Anyways if you have a mail server, people will try to use it. Nothing you can do against them trying... but you should be able to see in the log if they succeeded to relay or if they were blocked. Make sure your email server is configured to not relay for untrusted or unknown servers (or known and not allowed of course! :)).

Edit: just remembered now... if you do not have an email server and port 25 is open, I think you need to have a look at the other ports too and close the unused.

laurent
  • 2,035
  • 16
  • 13
0

If your server/computer is mail server please verify it with http://mxtoolbox.com/ to see if it's not an open relay. If MxToolbox will say it's not you're good to assume most likely the incoming connections are not doing you any harm (except for trying to relay thru you which is unsuccessful). You could check your server if it's on the spam list to verify you're not sending spam yourself.

MadBoy
  • 3,703
  • 13
  • 61
  • 93