RE:strange mail connections

What leads me to believe that the attack on the mail server was somehow 
related to the wollon was that within the same snort alert.ids* file, I have 
seen a number of the events recorded below. When the source address is 
resolved. The DNS entry is always either Web<removed>.mail.yahoo.com or 
web<removed>.mail.ukl.yahoo.com


05/13-18:47:14.086518  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 66.218.93.94:0 -> mail.server:0
05/13-18:47:14.086523  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 66.218.93.94:0 -> mail.server:0
05/13-18:49:06.188955  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 216.155.196.64:0 -> mail.server:0
05/13-18:50:41.175666  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 216.136.174.136:0 -> mail.server:0
05/13-18:50:54.368130  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 216.136.131.190:0 -> mail.server:0
05/13-18:51:51.411357  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 206.190.38.30:0 -> mail.server:0
05/13-18:51:54.031958  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 217.12.12.116:0 -> mail.server:0
05/13-18:51:57.169321  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 217.12.12.116:0 -> mail.server:0
05/13-18:52:04.843573  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 217.12.12.116:0 -> mail.server:0
05/13-18:52:08.520841  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 66.218.93.69:0 -> mail.server:0
05/13-18:52:11.525216  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 66.218.93.69:0 -> mail.server:0
05/13-18:52:13.314913  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 216.109.118.121:0 -> mail.server:0
05/13-18:52:14.753945  [**] [116:56:1] (snort_decoder): T/TCP Detected [**] 
{TCP} 66.218.93.69:0 -> mail.server:0

[**] (snort_decoder): T/TCP Detected [**]
05/13-18:47:14.086518 66.218.93.94:0 -> mail.server:0
TCP TTL:48 TOS:0x0 ID:9308 IpLen:20 DgmLen:68 DF
******S* Seq: 0xA1371477  Ack: 0x0  Win: 0xFFFF  TcpLen: 48
TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 2089903646 0
TCP Options => NOP NOP CCNEW: 41196094
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder): T/TCP Detected [**]
05/13-18:47:14.086523 66.218.93.94:0 -> mail.server:0
TCP TTL:48 TOS:0x0 ID:9310 IpLen:20 DgmLen:68 DF
******S* Seq: 0x62906284  Ack: 0x0  Win: 0xFFFF  TcpLen: 48
TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 2089903647 0
TCP Options => NOP NOP CCNEW: 41196095
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder): T/TCP Detected [**]
05/13-18:47:14.086518 66.218.93.94:0 -> mail.server:0
TCP TTL:48 TOS:0x0 ID:9308 IpLen:20 DgmLen:68 DF
******S* Seq: 0xA1371477  Ack: 0x0  Win: 0xFFFF  TcpLen: 48
TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 2089903646 0
TCP Options => NOP NOP CCNEW: 41196094
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder): T/TCP Detected [**]
05/13-18:47:14.086523 66.218.93.94:0 -> mail.server:0
TCP TTL:48 TOS:0x0 ID:9310 IpLen:20 DgmLen:68 DF
******S* Seq: 0x62906284  Ack: 0x0  Win: 0xFFFF  TcpLen: 48
TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 2089903647 0
TCP Options => NOP NOP CCNEW: 41196095
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

_________________________________________________________________
Get MSN Hotmail Extra Storage - storage that grows with your needs! 
http://join.msn.com/?pgmarket=en-xe

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions