Mysterious mail from an unused ip.

Posted on 2005-04-13
Last Modified: 2012-05-05
Hi All;

I have a server running a control panel (PLESK).  Within the control panel we have multiple clients, each client is assigned its own ip so we can monitor bandwidth usage on a per client level.  Now each ip has multiple domains hosted off of it.  However we did assign a couple of extra ips to that server for use later when we get more clients.  Now one of these unused ips is sending out tcp packets that look to me like mail.  Again there is nobody assigned to this ip address.  I realize that the server might be compromised but I dont want to start pulling down sites unless I am absolutly sure.  The amount of bandwidth that the server is using is minimal. (150 MB/24 hours).  How can I check to be sure that this is not legitimate traffic?

P.S.  I checked the mail logs and wouldnt ya know it, the maillog is 0kb.
Question by:seanostephens
    LVL 34

    Accepted Solution

    Examine the contents of the TCP packets. What's in there? Is it legit?

    Expert Comment

    Here is a good tool for viewing network traffic and its free.

    Could the IP be spoofed? or is it actual traffic?

    Author Comment

    I'm not sure thats what I have been trying to figure out.  I've got snort installed and monitoring packets.  After letting it run for a day I found that most of the traffic is legit mail from a list on our server.  However there are a few packets that come through that contain either:

    a) no data (just TCP headers)
    b) 221 service closing channel.

    are either of these ok?

    Expert Comment

    According to this:

    221 is a SMTP reply code

    Hope that helps narrow it down.
    LVL 8

    Expert Comment


    was there a computer using this IP at any time? maybe the mail server has it in cache for some reason.

    where are the packets destined? they just hammering the mail server?

    Author Comment

    Thanks all for the replys.  I have come to the conclusion that it is legit mail comming off that server.  Better safe than sorry.  Thanks again.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now