User:Woozle/2016/02/15/Postfix bounce-spam/tcpdump 1
Jump to navigation
Jump to search
A sample from tcpdump -- most of what I saw seemed legitimate (related to emails recently sent), but this did not:
11:24:52.649377 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [S], seq 2358666894, win 29200, options [mss 1460,sackOK,TS val 12615285 ecr 0,nop,wscale 8], length 0 11:24:52.775950 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], ack 4150325630, win 29200, options [nop,nop,TS val 12615317 ecr 707961258], length 0 11:24:52.902203 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], ack 20, win 29200, options [nop,nop,TS val 12615348 ecr 707961385], length 0 11:24:52.902328 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 0:28, ack 20, win 29200, options [nop,nop,TS val 12615348 ecr 707961385], length 28 11:24:53.028395 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 28:66, ack 100, win 29200, options [nop,nop,TS val 12615380 ecr 707961511], length 38 11:24:53.207441 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 66:99, ack 108, win 29200, options [nop,nop,TS val 12615425 ecr 707961690], length 33 11:24:53.333167 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 99:105, ack 116, win 29200, options [nop,nop,TS val 12615456 ecr 707961816], length 6 11:24:53.463143 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [.], seq 105:2901, ack 130, win 29200, options [nop,nop,TS val 12615489 ecr 707961946], length 2796 11:24:53.463184 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 2901:4100, ack 130, win 29200, options [nop,nop,TS val 12615489 ecr 707961946], length 1199 11:24:55.042054 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [P.], seq 4100:4106, ack 423, win 30016, options [nop,nop,TS val 12615883 ecr 707963521], length 6 11:24:55.042081 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [F.], seq 4106, ack 423, win 30016, options [nop,nop,TS val 12615883 ecr 707963521], length 0 11:24:55.168094 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [R], seq 2358671002, win 0, length 0 11:24:55.168125 IP 45.55.148.146.57705 > 94.100.180.150.25: Flags [R], seq 2358671002, win 0, length 0
94.100.180.150 apparently belongs to a mail host in Russia.