RE: Current sessions[Scanned]

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 5 Jan 2004 13:58:41 -0500 

If it gets too bad, you could always deny the IP address at the firewall.  I
suspect you could be in for quite a time if you're forever chasing that.  

Looks like their stuck on your address though.  Can you turn up the logging
a little and see what SMTP addresses they're after? 

-----Original Message-----
From: Simon Bound [mailto:simon.bound@xxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, January 05, 2004 12:41 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Current sessions[Scanned]

http://www.MSExchange.org/

Al

Here is a selection from the SMTP log late today


17:06:02 218.166.64.161 HELO - 250
17:06:02 219.91.106.226 EHLO - 250
17:06:02 218.166.64.161 QUIT - 240
17:06:03 219.91.106.226 MAIL - 250
17:06:03 219.91.106.226 RCPT - 550
17:06:05 219.91.106.226 QUIT - 240
17:06:09 61.231.2.224 HELO - 250
17:06:09 61.231.2.224 MAIL - 250
17:06:09 61.231.2.224 RCPT - 550
17:06:10 61.231.2.224 QUIT - 240
17:06:17 61.231.2.224 HELO - 250
17:06:17 61.231.2.224 MAIL - 250
17:06:18 61.231.2.224 RCPT - 550
17:06:18 61.231.2.224 QUIT - 240
17:06:20 218.167.58.206 HELO - 250
17:06:20 218.167.58.206 MAIL - 250
17:06:20 218.167.58.206 RCPT - 550
17:06:21 218.167.58.206 QUIT - 240
17:06:29 219.91.111.145 EHLO - 250
17:06:30 219.91.111.145 MAIL - 250
17:06:30 219.91.111.145 RCPT - 550
17:06:31 219.91.111.145 QUIT - 240
17:06:33 219.91.107.46 EHLO - 250
17:06:34 219.91.107.46 MAIL - 250
17:06:34 218.166.64.161 HELO - 250
17:06:34 218.166.64.161 MAIL - 250
17:06:34 219.91.107.46 RCPT - 550
17:06:34 218.166.64.161 RCPT - 550
17:06:36 219.91.107.46 QUIT - 240
17:06:36 218.166.64.161 QUIT - 240
17:06:36 218.166.29.83 HELO - 250
17:06:36 218.166.29.83 MAIL - 250
17:06:37 218.166.29.83 RCPT - 550
17:06:37 218.166.29.83 QUIT - 240
17:06:41 218.166.29.83 HELO - 250
17:06:41 218.166.29.83 MAIL - 250
17:06:41 218.166.29.83 RCPT - 550
17:06:42 218.166.29.83 QUIT - 240
17:06:46 195.12.4.238 - - 0
17:06:46 195.12.4.238 EHLO - 0
17:06:46 195.12.4.238 - - 0
17:06:46 195.12.4.238 ETRN - 0
17:06:46 195.12.4.238 - - 0
17:06:46 195.12.4.238 QUIT - 0
17:06:48 195.12.4.238 - - 0
17:07:05 218.166.29.83 HELO - 250
17:07:05 218.166.29.83 MAIL - 250
17:07:05 218.166.64.161 HELO - 250
17:07:05 218.166.29.83 RCPT - 550
17:07:05 218.166.64.161 MAIL - 250
17:07:07 218.166.29.83 QUIT - 240
17:07:07 206.131.244.10 HELO - 250
17:07:09 218.166.64.161 RCPT - 550
17:07:09 218.166.64.161 QUIT - 240
17:07:09 206.131.244.10 MAIL - 250
17:07:12 206.131.244.10 RCPT - 250
17:07:16 206.131.244.10 DATA - 250
17:07:24 206.131.244.10 QUIT - 240

What is worrying me is that this has just started happening since Saturday
and is now ongoing. 
The 195.12.4.238 is our valid ISP mail relayer.

Simon
-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Monday, January 05, 2004 4:27 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Current sessions[Scanned]


http://www.MSExchange.org/

Just to be sure Simon, you should check your SMTP logs to verify that they
aren't sending any mail. That'll also tell you what they're doing depending
on logging level.

Al 

-----Original Message-----
From: Simon Bound [mailto:simon.bound@xxxxxxxxxxxxxxxxxxxx]
Sent: Monday, January 05, 2004 11:20 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Current sessions[Scanned]

http://www.MSExchange.org/

Ok Mark thanks.......Anti-Spam program ? 

Not installed as it has never been a problem here in the UK with this
company. Unless the company gets inundated (which it isn't)  I guess I can
ignore these "connections" can I ?  

Not being up in the world of the spammer can you tell me what they are doing
when having these sessions open ?
Assuming they can't do anything - what's the point ?

Simon Bound

-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx]
Sent: Monday, January 05, 2004 3:46 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Current sessions[Scanned]


http://www.MSExchange.org/

Your going to keep getting them, if not from those address then from some
others, its just spammers trying to send you spam, your anti-spam program
should take care of it, it would be a waste of time sitting there trying to
kill all the SMTP connection that you don't know about.

Mark Fugatt
MCSE, MCT, Microsoft Exchange MVP
Pentech Office Solutions Inc
Rochester, NY
Tel: 585 576 4750
http://www.4mcts.com
http://www.exchangetrainer.com
-----Original Message-----
From: Simon Bound [mailto:simon.bound@xxxxxxxxxxxxxxxxxxxx]
Sent: Monday, January 05, 2004 10:44 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Current sessions[Scanned]

http://www.MSExchange.org/

I have specific IP address of 218.166.160.136, 218.167.71.181 and
61.223.89.221 which all appear to belong to the same company in Taiwan....

-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx]
Sent: Monday, January 05, 2004 3:42 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Current sessions[Scanned]


http://www.MSExchange.org/

They could be other peoples SMTP servers trying to send mail to you.

Mark Fugatt
MCSE, MCT, Microsoft Exchange MVP
Pentech Office Solutions Inc
Rochester, NY
Tel: 585 576 4750
http://www.4mcts.com
http://www.exchangetrainer.com
-----Original Message-----
From: Simon Bound [mailto:simon.bound@xxxxxxxxxxxxxxxxxxxx]
Sent: Monday, January 05, 2004 10:46 AM
To: [ExchangeList]
Subject: [exchangelist] Current sessions

http://www.MSExchange.org/

I've been having a look at E2K Manager and Current Sessions and have found
several "unknown" users appearing for upto 6k+ seconds. I have disconnected
them. Can anyone enlighten me as to how they have connected and or might be
doing ? I I have checked setup on this server for relaying and all apears ok
and battened down. The server is apparently behind an ISP Firewall.

Thanks
Simon Bound

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------

Other related posts:

  1. Home
  2. exchangelist
  3. Archive
  4. 01-2004