RE: RE:strange mail connections

I believe what your seeing is netsky not wallon. This is from the diary
http://isc.sans.org/diary.php?date=2004-05-12

Mailbag - Netsky 
We received a report from a user who had been seeing a large number of
DNS queries from a small set of his high speed customers. The answer, as
pointed by Rick Wanner, was that it was caused by NetSky. From his
words: "...I didn't realize that the deciding factor for what is an
email address is anything with an "@" sign in the name, or contents
would be tried as an email address. So people with big Internet caches,
and who don't clean up their cookies were generating thousands of MX
requests per minute to their default DNS server." 

Donald.Smith@xxxxxxxxx GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
 //Please replytoall so that all the Handlers can stay in the loop 



-----Original Message-----
From: intrusions-bounces@xxxxxxxxxxxxxx
[mailto:intrusions-bounces@xxxxxxxxxxxxxx] On Behalf Of lola marais
Sent: Friday, May 14, 2004 8:10 PM
To: intrusions@xxxxxxxxxxxxxx
Subject: [Intrusions] RE:strange mail connections


Most of the addresses that are attacking the mail server resolve to some

domain.yahoo.com.

I am aware of the WALLON worm but how does that tie up with the attack 
targeting the mail server?
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WAL
LON.A


An example of the addresses that are recieved would be:

Name:    web25101.mail.ukl.yahoo.com
Address:  217.12.10.49
Name:    smtp003.mail.ukl.yahoo.com
Address:  217.12.11.34

I ran the captured tcpdump file thru snort and it produced the following

alert:

In this case the remote host resolves as follows:
Name:    orleans-1-62-147-93-158.dial.proxad.net
Address:  62.147.93.158

SID  1549
Message  SMTP HELO overflow attempt
Signature  alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
HELO 
overflow attempt"; flow:to_server,established; content:"HELO"; 
isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi";
reference:bugtraq,895; 
reference:cve,CVE-2000-0042; reference:nessus,10324;
reference:bugtraq,7726; 
reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:13;)

[**] SMTP HELO overflow attempt [**]
05/13-18:47:03.956782 62.147.93.158:4252 -> mail.server:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:72
***AP*** Seq: 0xE03CB4E1  Ack: 0x94E1AC64  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Frame 33475 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497813109, Ack: 0, Len: 0
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497813109
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
    Window size: 8760
    Checksum: 0xdcc9 (correct)
    Options: (8 bytes)

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  00 30 5c b4 40 00 71 06 69 02 3e 93 5d 9e 9e a9   .0\.@.q.i.>.]...
0020  09 37 10 9c 00 19 94 e1 9a 75 00 00 00 00 70 02   .7.......u....p.
0030  22 38 dc c9 00 00 02 04 05 b4 01 01 04 02         "8............

Frame 33476 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074460, Ack: 2497813110, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074460
    Acknowledgement number: 2497813110
    Header length: 24 bytes
    Flags: 0x0012 (SYN, ACK)
    Window size: 8760
    Checksum: 0x5e26 (correct)
    Options: (4 bytes)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 2c 71 8b 40 00 7f 06 46 2f 9e a9 09 37 3e 93   .,q.@...F/...7>.
0020  5d 9e 00 19 10 9c e0 3c b3 5c 94 e1 9a 76 60 12   ]......<.\...v`.
0030  22 38 5e 26 00 00 02 04 05 b4 00 00               "8^&........

Frame 33523 (80 bytes on wire, 80 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497813127, Ack: 3762074736, Len: 26
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497813127
    Next sequence number: 2497813153
    Acknowledgement number: 3762074736
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8485
    Checksum: 0x598d (correct)
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  00 42 5c cb 40 00 71 06 68 d9 3e 93 5d 9e 9e a9   .B\.@.q.h.>.]...
0020  09 37 10 9c 00 19 94 e1 9a 87 e0 3c b4 70 50 18   .7.........<.pP.
0030  21 25 59 8d 00 00 4d 41 49 4c 20 46 52 4f 4d 3a   !%Y...MAIL FROM:
0040  20 3c 31 32 30 30 34 40 31 2e 6a 70 67 3e 0d 0a    <12004@xxxxx>..

Frame 33524 (88 bytes on wire, 88 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074736, Ack: 2497813153, Len: 34
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074736
    Next sequence number: 3762074770
    Acknowledgement number: 2497813153
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8717
    Checksum: 0x193c (correct)
Simple Mail Transfer Protocol

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 4a 5e 8c 40 00 7f 06 59 10 9e a9 09 37 3e 93   .J^.@...Y....7>.
0020  5d 9e 00 19 10 9c e0 3c b4 70 94 e1 9a a1 50 18   ]......<.p....P.
0030  22 0d 19 3c 00 00 32 35 30 20 4f 4b 20 2d 20 6d   "..<..250 OK - m
0040  61 69 6c 20 66 72 6f 6d 20 3c 31 32 30 30 34 40   ail from <12004@
0050  31 2e 6a 70 67 3e 0d 0a                           1.jpg>..

Frame 33579 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497813186, Ack: 3762074813, Len: 6
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497813186
    Next sequence number: 2497813192
    Acknowledgement number: 3762074813
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8408
    Checksum: 0xcffc (correct)
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  00 2e 5c e8 40 00 71 06 68 d0 3e 93 5d 9e 9e a9   ..\.@.q.h.>.]...
0020  09 37 10 9c 00 19 94 e1 9a c2 e0 3c b4 bd 50 18   .7.........<..P.
0030  20 d8 cf fc 00 00 44 41 54 41 0d 0a                .....DATA..

Frame 33580 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074813, Ack: 2497813192, Len: 36
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074813
    Next sequence number: 3762074849
    Acknowledgement number: 2497813192
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8678
    Checksum: 0x5d50 (correct)
Simple Mail Transfer Protocol

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 4c 39 8d 40 00 7f 06 7e 0d 9e a9 09 37 3e 93   .L9.@...~....7>.
0020  5d 9e 00 19 10 9c e0 3c b4 bd 94 e1 9a c8 50 18   ]......<......P.
0030  21 e6 5d 50 00 00 33 35 34 20 53 65 6e 64 20 64   !.]P..354 Send d
0040  61 74 61 2e 20 20 45 6e 64 20 77 69 74 68 20 43   ata.  End with C
0050  52 4c 46 2e 43 52 4c 46 0d 0a                     RLF.CRLF..

Frame 33635 (1514 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497813320, Ack: 3762074849, Len: 1460
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497813320
    Next sequence number: 2497814780
    Acknowledgement number: 3762074849
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8372
    Checksum: 0xd643
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  05 dc 5c ec 40 00 71 06 63 1e 3e 93 5d 9e 9e a9   ..\.@.q.c.>.]...
0020  09 37 10 9c 00 19 94 e1 9b 48 e0 3c b4 e1 50 18   .7.......H.<..P.
0030  20 b4 d6 43 00 00 43 6f 6e 74 65 6e 74 2d 54 79    ..C..Content-Ty
0040  70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 6d 69   pe: multipart/mi
0050  78 65 64 3b 0d 0a 09 62 6f 75 6e 64 61 72 79 3d   xed;...boundary=

Frame 33851 (1514 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497816240, Ack: 3762074849, Len: 1460
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497816240
    Next sequence number: 2497817700
    Acknowledgement number: 3762074849
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8372
    Checksum: 0x60d4
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  05 dc 5c f1 40 00 71 06 63 19 3e 93 5d 9e 9e a9   ..\.@.q.c.>.]...
0020  09 37 10 9c 00 19 94 e1 a6 b0 e0 3c b4 e1 50 18   .7.........<..P.
0030  20 b4 60 d4 00 00 41 41 45 31 6c 63 33 4e 68 5a    .`...AAE1lc3NhZ
0040  32 56 43 62 33 68 42 41 41 41 41 64 33 4e 77 63   2VCb3hBAAAAd3Nwc
0050  6d 6c 75 64 47 5a 42 41 41 41 41 52 58 68 70 64   mludGZBAAAARXhpd

Frame 33942 (819 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497820620, Ack: 3762074849, Len: 765
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497820620
    Next sequence number: 2497821385
    Acknowledgement number: 3762074849
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8372
    Checksum: 0x95b2
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  03 25 5c fc 40 00 71 06 65 c5 3e 93 5d 9e 9e a9   .%\.@.q.e.>.]...
0020  09 37 10 9c 00 19 94 e1 b7 cc e0 3c b4 e1 50 18   .7.........<..P.
0030  20 b4 95 b2 00 00 49 58 77 30 49 4f 4c 36 4d 6c    .....IXw0IOL6Ml
0040  6a 32 38 6a 4b 67 50 68 74 6b 52 54 72 6e 4f 75   j28jKgPhtkRTrnOu
0050  6e 30 2b 49 62 65 62 43 2b 52 7a 4d 79 30 43 4d   n0+IbebC+RzMy0CM

Frame 33943 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074849, Ack: 2497817700, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074849
    Acknowledgement number: 2497817700
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 8760
    Checksum: 0x6271 (correct)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 28 60 92 40 00 7f 06 57 2c 9e a9 09 37 3e 93   .(`.@...W,...7>.
0020  5d 9e 00 19 10 9c e0 3c b4 e1 94 e1 ac 64 50 10   ]......<.....dP.
0030  22 38 62 71 00 00 00 00 00 00 00 00               "8bq........

Frame 33944 (182 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497821385, Ack: 3762074849, Len: 128
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497821385
    Next sequence number: 2497821513
    Acknowledgement number: 3762074849
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8372
    Checksum: 0x59bd
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  00 a8 5c ff 40 00 71 06 68 3f 3e 93 5d 9e 9e a9   ..\.@.q.h?>.]...
0020  09 37 10 9c 00 19 94 e1 ba c9 e0 3c b4 e1 50 18   .7.........<..P.
0030  20 b4 59 bd 00 00 68 55 4e 49 65 6f 6d 7a 70 4f    .Y...hUNIeomzpO
0040  6b 65 76 33 6f 38 74 66 4c 55 37 52 0d 0a 32 4a   kev3o8tfLU7R..2J
0050  6a 65 30 43 79 74 34 72 37 64 73 78 54 4e 36 75   je0Cyt4r7dsxTN6u

Frame 33945 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074849, Ack: 2497817700, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074849
    Acknowledgement number: 2497817700
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 8760
    Checksum: 0x6271 (correct)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 28 69 92 40 00 7f 06 4e 2c 9e a9 09 37 3e 93   .(i.@...N,...7>.
0020  5d 9e 00 19 10 9c e0 3c b4 e1 94 e1 ac 64 50 10   ]......<.....dP.
0030  22 38 62 71 00 00 00 00 00 00 00 00               "8bq........

Frame 33999 (1514 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497817700, Ack: 3762074849, Len: 1460
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497817700
    Next sequence number: 2497819160
    Acknowledgement number: 3762074849
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8372
    Checksum: 0xd673
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  05 dc 5c f7 40 00 71 06 63 13 3e 93 5d 9e 9e a9   ..\.@.q.c.>.]...
0020  09 37 10 9c 00 19 94 e1 ac 64 e0 3c b4 e1 50 18   .7.......d.<..P.
0030  20 b4 d6 73 00 00 70 31 75 44 2f 6f 78 0d 0a 57    ..s..p1uD/ox..W
0040  65 4f 30 30 41 43 42 41 6f 33 36 5a 66 73 42 46   eO00ACBAo36ZfsBF
0050  62 72 4b 51 6f 36 2b 44 38 53 48 46 48 45 6f 62   brKQo6+D8SHFHEob

Frame 34002 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074849, Ack: 2497819160, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074849
    Acknowledgement number: 2497819160
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 8760
    Checksum: 0x5cbd (correct)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 28 61 93 40 00 7f 06 56 2b 9e a9 09 37 3e 93   .(a.@...V+...7>.
0020  5d 9e 00 19 10 9c e0 3c b4 e1 94 e1 b2 18 50 10   ]......<......P.
0030  22 38 5c bd 00 00 00 00 00 00 00 00               "8\.........

Frame 34015 (1514 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497819160, Ack: 3762074849, Len: 1460
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497819160
    Next sequence number: 2497820620
    Acknowledgement number: 3762074849
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8372
    Checksum: 0xa0bb
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  05 dc 5c f9 40 00 71 06 63 11 3e 93 5d 9e 9e a9   ..\.@.q.c.>.]...
0020  09 37 10 9c 00 19 94 e1 b2 18 e0 3c b4 e1 50 18   .7.........<..P.
0030  20 b4 a0 bb 00 00 77 4e 7a 47 50 47 6b 6e 53 4e    .....wNzGPGknSN
0040  57 43 41 51 54 6a 72 78 4d 70 50 51 39 4a 58 4f   WCAQTjrxMpPQ9JXO
0050  6d 0d 0a 67 42 36 42 44 45 70 4f 4f 77 77 44 63   m..gB6BDEpOOwwDc

Frame 34016 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074849, Ack: 2497824433, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074849
    Acknowledgement number: 2497824433
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 8760
    Checksum: 0x4824 (correct)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 28 d8 93 40 00 7f 06 df 2a 9e a9 09 37 3e 93   .(..@....*...7>.
0020  5d 9e 00 19 10 9c e0 3c b4 e1 94 e1 c6 b1 50 10   ]......<......P.
0030  22 38 48 24 00 00 00 00 00 00 00 00               "8H$........

Frame 34251 (1514 bytes on wire, 96 bytes captured)
Ethernet II, Src: 00:10:db:yyy, Dst: 00:08:e2:xxx
Internet Protocol, Src Addr: 62.147.93.158 (62.147.93.158), Dst Addr: 
mail.server (mail.server)
Transmission Control Protocol, Src Port: 4252 (4252), Dst Port: smtp
(25), 
Seq: 2497825893, Ack: 3762074849, Len: 1460
    Source port: 4252 (4252)
    Destination port: smtp (25)
    Sequence number: 2497825893
    Next sequence number: 2497827353
    Acknowledgement number: 3762074849
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 8372
    Checksum: 0x832f
Simple Mail Transfer Protocol

0000  00 08 e2 46 b6 4a 00 10 db ff 0a 00 08 00 45 00   ...F.J........E.
0010  05 dc 5d 97 40 00 71 06 62 73 3e 93 5d 9e 9e a9   ..].@.q.bs>.]...
0020  09 37 10 9c 00 19 94 e1 cc 65 e0 3c b4 e1 50 18   .7.......e.<..P.
0030  20 b4 83 2f 00 00 31 33 6d 62 47 42 58 55 6a 56    ../..13mbGBXUjV
0040  53 57 69 33 56 6d 4b 30 44 72 44 69 6d 50 52 2f   SWi3VmK0DrDimPR/
0050  62 74 0d 0a 56 62 58 6c 61 59 57 5a 77 6f 2f 71   bt..VbXlaYWZwo/q

Frame 34252 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074849, Ack: 2497828813, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074849
    Acknowledgement number: 2497828813
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 8760
    Checksum: 0x3708 (correct)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 28 b2 98 40 00 7f 06 05 26 9e a9 09 37 3e 93   .(..@....&...7>.
0020  5d 9e 00 19 10 9c e0 3c b4 e1 94 e1 d7 cd 50 10   ]......<......P.
0030  22 38 37 08 00 00 00 00 00 00 00 00               "87.........

Frame 34273 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074849, Ack: 2497828814, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074849
    Acknowledgement number: 2497828814
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 8759
    Checksum: 0x3708 (correct)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 28 31 9a 40 00 7f 06 86 24 9e a9 09 37 3e 93   .(1.@....$...7>.
0020  5d 9e 00 19 10 9c e0 3c b4 e1 94 e1 d7 ce 50 10   ]......<......P.
0030  22 37 37 08 00 00 00 00 00 00 00 00               "77.........

Frame 34368 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:08:e2:xxx, Dst: 00:10:db:yyy
Internet Protocol, Src Addr: mail.server (mail.server), Dst Addr: 
62.147.93.158 (62.147.93.158)
Transmission Control Protocol, Src Port: smtp (25), Dst Port: 4252
(4252), 
Seq: 3762074849, Ack: 2497837797, Len: 0
    Source port: smtp (25)
    Destination port: 4252 (4252)
    Sequence number: 3762074849
    Acknowledgement number: 2497837797
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 8760
    Checksum: 0x13f0 (correct)

0000  00 10 db ff 0a 00 00 08 e2 46 b6 4a 08 00 45 00   .........F.J..E.
0010  00 28 05 a0 40 00 7f 06 b2 1e 9e a9 09 37 3e 93   .(..@........7>.
0020  5d 9e 00 19 10 9c e0 3c b4 e1 94 e1 fa e5 50 10   ]......<......P.
0030  22 38 13 f0 00 00 00 00 00 00 00 00               "8..........

_________________________________________________________________
Get MSN Hotmail Extra Storage - storage that grows with your needs! 
http://join.msn.com/?pgmarket=en-xe

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions