Why is my port 25 so active?

hacking firewall smtp intrusion-detection

Using netstat -na I notice that I have a lot of connections like

tcp        0      0 XXX.XXX.XXX.XXX:25        YYY.YYY.YYY.YYY:13933     ESTABLISHED
tcp        0      0 XXX.XXX.XXX.XXX:25        ZZZ.ZZZ.ZZZ.ZZZ:9528     ESTABLISHED

Those are to addresses to USA, Brasil etc, despite that my server is located in UK.
Can that be some "illegal" activity, like spamming or something?

[root@myserver ~]# tcpdump port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:54:33.842388 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: S 3343584823:3343584823(0) win 8192 <mss 1360,nop,wscale 2,nop,nop,sackOK>
20:54:33.842431 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: S 583530268:583530268(0) ack 3343584824 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
20:54:33.904660 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 1 win 16660
20:54:34.036073 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: P 1:90(89) ack 1 win 46
20:54:34.304356 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 90 win 16637
20:54:34.304433 IP XXX.XXX.XXX.XXX.smtp > g224057157.adsl.remotehost1.de.23970: P 90:110(20) ack 1 win 46
20:54:34.568451 IP g224057157.adsl.remotehost1.de.23970 > XXX.XXX.XXX.XXX.smtp: . ack 110 win 16632

Yes.

Or at least, it's being attempted. If you have port 25 open, you can be guaranteed someone's trying to relay mail through you. If you have port 80 open, you can be guaranteed someone's trying to exploit your site. If you have port 22 open, you can be guaranteed someone's trying to brute force you. Notice a pattern?

Lucky for you, they're almost entirely amateurish. Use tools like your log files, telnet, and tcpdump to verify that these are only attempts and you're not successfully being used to relay spam.


Port 25 is the standard port SMTP traffic runs on. If you intend for you system to be an email server than those might be legit servers trying to send you or your users email. If you do not intend your system to be an email server, figure out how to get port 25 turned off.

Historically email servers would be configured to politely send on email for other servers. Today this is bad, bad, bad. It's called being an open email relay. It would be wise for you to verify that you are not doing this. But, don't go to far and try to block port 25 traffic if you do mean to accept email from the outside world.


If you need it open, you need it open. Try to lock down who you accept smtp connections from. YOu can get an offsite spam/virus filter, which hosts the DNS MX recorded servers. Then only accetp smtp from their network.

Note that tcp port 587 is an RFC mail submission port.

Related

linux logfile does not open correctly in windows notepad
What is the email SPF entry for sending from Yahoo!?
Is HTTP 1.0 being used nowadays?
Disable SSH for non root users
How to send the current working directory as an argument in windows?
Scritp to wait for few seconds before executing next line
How to manually run Windows Update for Windows 2003?
Is Internet routing (BGP) fully automated?
For tripwire, how would I have the report e-mailed only when a violation is found
Access files outside a chroot'ed environment?
ARP packets never routed?
cannot unset env variables from script