Odd traffic to munition2.xs4all.nl, any ideas?
I have a Debian box acting as a mailserver running Exim behind a Debian
box acting as a firewall/gateway with appropriate port forwarding etc.
Everything runs fine. I've been seeing some odd traffic lately,
though. An SMTP request will come in and be forwarded to the
mailserver, the mailserver responds by opening a 113 (auth) connection
back to the caller, and then, a 7 (echo) and then 2702 (?!) to
munitions2.xs4all.nl for no apparent reason. Any ideas?
Here's a sample from my IP tracking logs, gemini is the firewall and
libra is the mailserver. Note the contacts to munitions come about 25
seconds after the AUTH traffic, this is not too atypical although it's
usually closer to 15, and (by eye I'd say) always between 10 - 30
seconds after the AUTH traffic.
2002-09-01 22:56:24 184.108.40.206 3443 220.127.116.11 25
18.104.22.168 -> gemini (smtp)
2002-09-01 22:56:24 192.168.100.201 1589 22.214.171.124 113
libra -> 126.96.36.199 (auth)
2002-09-01 22:56:50 192.168.100.201 1591 188.8.131.52 7
libra -> munitions2.xs4all.nl (echo)
2002-09-01 22:56:51 192.168.100.201 1592 184.108.40.206 2702
libra -> munitions2.xs4all.nl
First noticed this last Thursday. I'd love to know what exactly is
going on here and why...