[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Odd traffic to munition2.xs4all.nl, any ideas?

I have a Debian box acting as a mailserver running Exim behind a Debian
box acting as a firewall/gateway with appropriate port forwarding etc. 
Everything runs fine.  I've been seeing some odd traffic lately,
though.  An SMTP request will come in and be forwarded to the
mailserver, the mailserver responds by opening a 113 (auth) connection
back to the caller, and then, a 7 (echo) and then 2702 (?!) to
munitions2.xs4all.nl for no apparent reason.  Any ideas?

Here's a sample from my IP tracking logs, gemini is the firewall and
libra is the mailserver.  Note the contacts to munitions come about 25
seconds after the AUTH traffic, this is not too atypical although it's
usually closer to 15, and (by eye I'd say) always between 10 - 30
seconds after the AUTH traffic.

2002-09-01 22:56:24   3443      25 -> gemini (smtp)
2002-09-01 22:56:24  1589    113
  libra -> (auth)
2002-09-01 22:56:50  1591      7
  libra -> munitions2.xs4all.nl (echo)
2002-09-01 22:56:51  1592   2702
  libra -> munitions2.xs4all.nl

First noticed this last Thursday.  I'd love to know what exactly is
going on here and why...

Reply to: