More on port 2525 traffic
There is another source for information to investigate: I have the PMAS set up so the worker processes log as well (default, it’s off) and I found a hint on what’s going on.
Both addresses have the same type of signature: Mail is received for procesing, a test is made to check whether the sender is located in a blacklist, and that connection is aborted:
23-SEP-2013 21:08:24.14: RelayPlug: Connection accepted from 208.75.123.163
23-SEP-2013 21:08:24.17: RelayPlug: External IP address, so set up to check MAIL FROM:....
23-SEP-2013 21:08:26.38: RelayPlug: MAIL FROM:<(some large 'name')@in.constantcontact.com>
23-SEP-2013 21:08:26.38: PMASplug: MAIL FROM: <(some large 'name')@in.constantcontact.com>
23-SEP-2013 21:08:26.38: DNSBLplug: MAIL FROM: <(some large 'name')@in.constantcontact.com>
23-SEP-2013 21:08:26.39: DNSBLplug: Checking address 208.75.123.163....
23-SEP-2013 21:08:26.39: DNSBLplug: Address action = 0 (OK (no match))
23-SEP-2013 21:08:26.39: DNSBLplug: Checking domain name in.constantcontact.com....
23-SEP-2013 21:08:26.39: DNSBLplug: Domain action = 0 (OK (no match))
Client connection error (connection reset by peer ); aborting session
23-SEP-2013 21:08:26.43: RelayPlug: End connection event triggered
So the domains are in.constantcontact.com (an email host) and mailing.internationalcardservices.nl – both respectable companies.
There has been a connection from in.constantcontact.com but that came from another address:
23-SEP-2013 20:16:59.24: RelayPlug: Connection accepted from 208.75.123.225
23-SEP-2013 20:16:59.24: RelayPlug: External IP address, so set up to check MAIL FROM:....
23-SEP-2013 20:17:01.88: RelayPlug: MAIL FROM:<(generated_username)@in.constantcontact.com>
23-SEP-2013 20:17:01.88: PMASplug: MAIL FROM: <(generated_username)@in.constantcontact.com> 23-SEP-2013 20:17:01.88: DNSBLplug: MAIL FROM: <(generated_username)@in.constantcontact.com>
23-SEP-2013 20:17:01.88: DNSBLplug: Checking address 208.75.123.225....
23-SEP-2013 20:17:01.88: DNSBLplug: Address action = 0 (OK (no match))
23-SEP-2013 20:17:01.90: DNSBLplug: Checking domain name in.constantcontact.com....
23-SEP-2013 20:17:01.90: DNSBLplug: Domain action = 0 (OK (no match))
23-SEP-2013 20:17:02.06: RelayPlug: RCPT TO:<(my address)>
23-SEP-2013 20:17:02.44: PMASplug: Created source header X-PMAS-External: name [address] (HELO (name))
23-SEP-2013 20:17:03.12: PMASplug: Message complete, deferred size is 37588
23-SEP-2013 20:17:03.13: PMASplug: Adding header: X-PMAS-External: name [address] (HELO (name))
23-SEP-2013 20:17:03.13: PMASplug: RCPT TO: (my address) / (my address)
23-SEP-2013 20:17:03.13: PMASplug: Calling PMAS to process the message....
23-SEP-2013 20:17:25.23: PMASplug: PMAS returned status: 1
23-SEP-2013 20:17:25.23: PMASplug: Number of recipients: 1, number of dispositions: 1
23-SEP-2013 20:17:25.23: PMASplug: Message quarantined or discarded for all recipients
23-SEP-2013 20:17:25.24: DNSBLplug: Reset event triggered
23-SEP-2013 20:17:25.39: RelayPlug: End connection event triggered
and that message is indeed found in the ‘discarded’ box.
Why this started happening in the first place? The protocol (eDonkey) is blocked from the beginning and these messages never appeared before. And just these two addresses? The only remarkable is the size of the FROM address: almost 90 characters. If this is similar to the eDonkey signature, it explains the behaviour…
A second question in this matter: in the firewall, I have defined these two addresses as objects to be blocked, but they still access the network: the messages keep appearing
So Draytek has to answer a question or two …