Odd traffic to munition2.xs4all.nl, any ideas?
I have a Debian box acting as a mailserver running Exim behind a Debian
box acting as a firewall/gateway with appropriate port forwarding etc.
Everything runs fine. I've been seeing some odd traffic lately,
though. An SMTP request will come in and be forwarded to the
mailserver, the mailserver responds by opening a 113 (auth) connection
back to the caller, and then, a 7 (echo) and then 2702 (?!) to
munitions2.xs4all.nl for no apparent reason. Any ideas?
Here's a sample from my IP tracking logs, gemini is the firewall and
libra is the mailserver. Note the contacts to munitions come about 25
seconds after the AUTH traffic, this is not too atypical although it's
usually closer to 15, and (by eye I'd say) always between 10 - 30
seconds after the AUTH traffic.
2002-09-01 22:56:24 220.127.116.11 3443 18.104.22.168 25
22.214.171.124 -> gemini (smtp)
2002-09-01 22:56:24 192.168.100.201 1589 126.96.36.199 113
libra -> 188.8.131.52 (auth)
2002-09-01 22:56:50 192.168.100.201 1591 184.108.40.206 7
libra -> munitions2.xs4all.nl (echo)
2002-09-01 22:56:51 192.168.100.201 1592 220.127.116.11 2702
libra -> munitions2.xs4all.nl
First noticed this last Thursday. I'd love to know what exactly is
going on here and why...