[PLUG] new one on me ... smtp port hammered by 69.220.244.203

Russell Senior seniorr at aracnet.com
Fri Dec 16 19:09:37 UTC 2005


I looked at the blinky lights this morning and saw lots of activity
overnight.  Usually, it is one of the random-user ssh attacks and I
squelch them in iptables.  This time it was an IP address
69.220.244.203 connecting to the smtp port.  My /var/log/mail.log had
lots of:

   Dec 16 10:49:08 bonneville greylist[1657]: IP 69.220.244.203 OK - accepting 
   Dec 16 10:49:08 bonneville greylist[1657]: starting /usr/sbin/qmail-smtpd 
   Dec 16 10:49:09 bonneville greylist[1658]: IP 69.220.244.203 OK - accepting 
   Dec 16 10:49:09 bonneville greylist[1658]: starting /usr/sbin/qmail-smtpd 
   Dec 16 10:49:10 bonneville greylist[1659]: IP 69.220.244.203 OK - accepting 
   Dec 16 10:49:10 bonneville greylist[1659]: starting /usr/sbin/qmail-smtpd 
   Dec 16 10:49:11 bonneville greylist[1660]: IP 69.220.244.203 OK - accepting 
   Dec 16 10:49:11 bonneville greylist[1660]: starting /usr/sbin/qmail-smtpd 

... but never any delivery, didn't start spamd or anything.

Tcpdump's look like this, over and over:

   10:49:00.025584 IP 69-220-244-203.ded.ameritech.net.30669 > mail.foo.com.smtp: S 3478240314:3478240314(0) win 16384 <mss 1380,nop,nop,sackOK>
   10:49:00.025707 IP mail.foo.com.smtp > 69-220-244-203.ded.ameritech.net.30669: S 753812388:753812388(0) ack 3478240315 win 5840 <mss 1460,nop,nop,sackOK>
   10:49:00.109045 IP 69-220-244-203.ded.ameritech.net.30669 > mail.foo.com.smtp: . ack 1 win 16560
   10:49:00.307464 IP mail.foo.com.smtp > 69-220-244-203.ded.ameritech.net.30669: P 1:25(24) ack 1 win 5840
   10:49:00.391923 IP 69-220-244-203.ded.ameritech.net.30669 > mail.foo.com.smtp: P 1:24(23) ack 25 win 16536
   10:49:00.392040 IP mail.foo.com.smtp > 69-220-244-203.ded.ameritech.net.30669: . ack 24 win 5840
   10:49:00.392356 IP mail.foo.com.smtp > 69-220-244-203.ded.ameritech.net.30669: P 25:73(48) ack 24 win 5840
   10:49:00.480733 IP 69-220-244-203.ded.ameritech.net.30669 > mail.foo.com.smtp: P 24:30(6) ack 73 win 16488
   10:49:00.480974 IP mail.foo.com.smtp > 69-220-244-203.ded.ameritech.net.30669: P 73:91(18) ack 30 win 5840
   10:49:00.481163 IP mail.foo.com.smtp > 69-220-244-203.ded.ameritech.net.30669: F 91:91(0) ack 30 win 5840
   10:49:00.566198 IP 69-220-244-203.ded.ameritech.net.30669 > mail.foo.com.smtp: F 30:30(0) ack 91 win 16470
   10:49:00.566303 IP mail.foo.com.smtp > 69-220-244-203.ded.ameritech.net.30669: . ack 31 win 5840
   10:49:00.567489 IP 69-220-244-203.ded.ameritech.net.30669 > mail.foo.com.smtp: . ack 92 win 16470

When I mtr back to the originating host, the hop before resolves as
Teenage-Research-Unlimited-Inc-IAF198935.cust-rtr.ameritech.net.

Anyway, all fixed up now.


-- 
Russell Senior         ``I have nine fingers; you have ten.''
seniorr at aracnet.com



More information about the PLUG mailing list