On Fri, 07 Aug 2009, James Hankins wrote: > On a new postfix install, I noticed an uptick in bandwidth consumption > for a period of time (ended up being about 6 hours). Bulk of traffic > was from one host and it sourced from port 2392 (Tacical Auth). From a > search on google it stated that this is a vulnerability scanner. > Destination port was port 25 for this particular postfix install. I've > scanned the maillog and I don't see connections from this ip except to > dovecot. That was from an authenticated user of this system from remote. > > I did a capture of some of the traffic in the event this was some type > of nefarious behavior, I have traces. > > Any guidance on what to do/look for here? Seemed quite odd to me.
Don't worry about the *source* port; just let Postfix handle these connections. And if the IP matches that of an authenticated user, then you can ask him/her to investigate if you're really curious. -- Sahil Tandon <sa...@tandon.net>
