Mysterious mail from an unused ip.

Hi All;

I have a server running a control panel (PLESK).  Within the control panel we have multiple clients, each client is assigned its own ip so we can monitor bandwidth usage on a per client level.  Now each ip has multiple domains hosted off of it.  However we did assign a couple of extra ips to that server for use later when we get more clients.  Now one of these unused ips is sending out tcp packets that look to me like mail.  Again there is nobody assigned to this ip address.  I realize that the server might be compromised but I dont want to start pulling down sites unless I am absolutly sure.  The amount of bandwidth that the server is using is minimal. (150 MB/24 hours).  How can I check to be sure that this is not legitimate traffic?

P.S.  I checked the mail logs and wouldnt ya know it, the maillog is 0kb.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Examine the contents of the TCP packets. What's in there? Is it legit?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Here is a good tool for viewing network traffic and its free.

Could the IP be spoofed? or is it actual traffic?
seanostephensAuthor Commented:
I'm not sure thats what I have been trying to figure out.  I've got snort installed and monitoring packets.  After letting it run for a day I found that most of the traffic is legit mail from a list on our server.  However there are a few packets that come through that contain either:

a) no data (just TCP headers)
b) 221 service closing channel.

are either of these ok?
Put Your Flow Data to Work

SolarWinds® Flow Tool Bundle combines three easy-to-download, easy-to-use flow analysis tools that can help you quickly distribute, test, and configure your flow traffic.

According to this:

221 is a SMTP reply code

Hope that helps narrow it down.

was there a computer using this IP at any time? maybe the mail server has it in cache for some reason.

where are the packets destined? they just hammering the mail server?
seanostephensAuthor Commented:
Thanks all for the replys.  I have come to the conclusion that it is legit mail comming off that server.  Better safe than sorry.  Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.