Question : Curious about connections on our Mail Server

We ran netstat and noticed some odd connections and were wondering what other peoples opinions were. We went through the processess.. nothing seems out of the ordinary. Obviously these IPs showing up have nothing to do with our network or mail system so we are looking for some guidance.

Thanks!

Log:

TCP 192.168.6.5:25 85.198.168.27:3229 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3235 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3283 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3446 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3455 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3501 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3519 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3535 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3569 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3579 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3585 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3637 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3648 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3664 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3668 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3720 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3735 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3744 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3792 TIME_WAIT
TCP 192.168.6.5:25 85.198.168.27:3824 TIME_WAIT

TCP 192.168.6.5:25 222.114.236.12:2917 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:60061 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:60433 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:61451 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:61713 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:62115 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:62175 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:62395 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:62409 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:63079 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:63321 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:63369 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:63519 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:63919 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:64583 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:64775 ESTABLISHED
TCP 192.168.6.5:110 80.84.113.135:64933 LAST_ACK
TCP 192.168.6.5:110 80.84.113.135:65451 ESTABLISHED

TCP 192.168.6.246:110 80.84.113.135:60161 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:60651 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:60961 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:61095 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:61265 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:62389 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:62509 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:62941 CLOSING
TCP 192.168.6.246:110 80.84.113.135:63295 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:63589 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:63885 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:63957 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:64195 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:64593 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:65093 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:65271 ESTABLISHED
TCP 192.168.6.246:110 80.84.113.135:65407 ESTABLISHED

Answer : Curious about connections on our Mail Server

This happens all the time, and unfortunately you can't do much about it. Assuming they aren't actually transferring any mail into your email system, I suspect those entries are something to do with a port scanner which is attempting to connect through to ports 25 (SMTP) and 110 (POP3), and if successful, your IP address might be added to a list of addresses which are "compromised" - i.e. they could possibly be used by a hacker. Port scanners test a range of consecutive IP addresses and should they find one with sensitive ports such as telnet, SMTP, HTTPS or the like open and available, they may attempt to connect and see what they can find.

SMTP in particular is quite a sensitive topic; if someone finds an SMTP server which is also an open relay, they could potentially spam it at will, and possibly get that server blacklisted. It is for this reason that port 25 is commonly searched for by hackers and spammers.

Sadly, just about the only way to stop this happening is to unplug yourself from the 'net. For all the time anybody is connected to the Internet, people are going to attempt to access their network, infiltrate their firewall. It is highly unlikely they are targeting you in particular - you are simply being picked on like hundreds of thousands of other people around the globe who are located on a similar IP range to yourself.

To make sure you're secure, just ensure only the required ports for the correct operation of your server and network to correctly function are opened through the firewall through to the DMZ and, more importantly, the internal network. Any systems located in your DMZ should be checked to ensure they are not compromised, and I strongly recommend that any systems in the DMZ which require static port mappings to communicate with systems in the LAN are moved inside the LAN. One common mistake is to place Exchange Front-end (or OWA, SMTP relay) servers in the DMZ, but since these require sensitive Active Directory ports open to function, it poses a major security risk.

I did some lookups on the IP addresses and couldn't find much, although I do know they are allocated to either Korea Telecoms, someone in Russia and another in Ukraine. Provided all your servers and systems are patched, up to date and confirmed as secured, you can't really get around this issue too much and you don't have much to worry about.

-tigermatt

Random Solutions

FCC and ETSI wireless standards are compatible

Restrict access to network

Can ping, but cannot see computers on the network

DNS - Slow to propagate - is this normal?

IP router configuration

SMS Server based application with Java

Export Gmail groups to text file

All Domain User Accounts Locked - Including Admin

Losing Network Access