Odd traffic to munition2.xs4all.nl, any ideas?

To: debian-user@lists.debian.org
Subject: Odd traffic to munition2.xs4all.nl, any ideas?
From: "Guy T. Rice" <guy@aurum-industries.com>
Date: 03 Sep 2002 17:32:45 -0500
Message-id: <[🔎] 1031092366.26637.12.camel@wufei.aurum.lan>

I have a Debian box acting as a mailserver running Exim behind a Debian
box acting as a firewall/gateway with appropriate port forwarding etc. 
Everything runs fine.  I've been seeing some odd traffic lately,
though.  An SMTP request will come in and be forwarded to the
mailserver, the mailserver responds by opening a 113 (auth) connection
back to the caller, and then, a 7 (echo) and then 2702 (?!) to
munitions2.xs4all.nl for no apparent reason.  Any ideas?

Here's a sample from my IP tracking logs, gemini is the firewall and
libra is the mailserver.  Note the contacts to munitions come about 25
seconds after the AUTH traffic, this is not too atypical although it's
usually closer to 15, and (by eye I'd say) always between 10 - 30
seconds after the AUTH traffic.

2002-09-01 22:56:24 212.171.20.194   3443 64.83.195.241      25
  212.171.20.194 -> gemini (smtp)
2002-09-01 22:56:24 192.168.100.201  1589 212.171.20.194    113
  libra -> 212.171.20.194 (auth)
2002-09-01 22:56:50 192.168.100.201  1591 194.109.217.74      7
  libra -> munitions2.xs4all.nl (echo)
2002-09-01 22:56:51 192.168.100.201  1592 194.109.217.74   2702
  libra -> munitions2.xs4all.nl

First noticed this last Thursday.  I'd love to know what exactly is
going on here and why...

Reply to:

Follow-Ups:
- Re: Odd traffic to munition2.xs4all.nl, any ideas?
  - From: Jamin W.Collins <jcollins@asgardsrealm.net>

Prev by Date: Re: from `zip' to sid via network - A general outline needed
Next by Date: Re: Sound card driver for CM87389(rev 10)
Previous by thread: Re: shutdown without waking up the monitor
Next by thread: Re: Odd traffic to munition2.xs4all.nl, any ideas?
Index(es):
- Date
- Thread