Incoming Mail Server Initiating Connections

[da sponge]

I have an incoming (only) mail server that is initiating connections to a fairly significant number of IPs on nonstandard ports. These connections occur 1-30 seconds after an incoming connection attempt (some, not all) and are directed towards high numbered ports (same as source port for incoming firewall log).

Any ideas what this traffic is?

 

[MorfiusX]

Source ports will always vary, it's the destination port that is important. The server could be replying to a connecting attempt for mail delivery. Is this Windows of *nix? Check which processes are using those ports.

 

[da sponge]

Here's the logs for one of many instances.

Log Time	Client IP	Destination IP	S.Port	D.Port	Action	Result Code
10/23/2007 9:06	58.10.164.2	192.168.28.43	18435	25	Closed	0x80074e24 FWX_E_CONNECTION_KILLED
10/23/2007 9:06	58.10.164.2	192.168.28.43	18435	25	Initiated	0x0 ERROR_SUCCESS
Log Time	Client IP	Destination IP	S.Port	D.Port	Action	Result Code
10/23/2007 9:06	192.168.28.43	58.10.164.2	25	18435	Denied	0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
10/23/2007 9:06	192.168.28.43	58.10.164.2	25	18435	Denied	0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

Looks like it is the result of ISA killing the connection for some reason (if it is the SMTP filter I should see entries in the app log, but those entries are few and far between). I'm guessing the IIS server is just responding to what it thinks is an open connection, hence the high destination port. Next step is to figure out why it is killing the connections (these are more than likely spam connections though; we haven't had any complaints of legit mail not arriving).