This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP/SMTP mail flow cannot be understand ?

0

SMTP mail server problem cannot be understand how it was gone. Can you help me to identify the attack or type of issue regarding this source and destination ?

cloud shark - https://www.cloudshark.org/captures/50e23e13bb31

ip.src == 172.17.107.32 && ip.dst == 104.88.178.74

alt text

This question is marked "community wiki".

asked 09 Feb '16, 12:42

Bhagya's gravatar image

Bhagya
4226
accept rate: 0%


One Answer:

2

If you use a slightly different display filter, ip.src == 172.17.107.32 and ip.dst == 104.88.178.74 , you'll see that the 172...32 (probably yours as it is on a private IP address) has attempted to send an e-mail from [email protected], but the receiving SMTP server 104..74 has refused to accept it, explaining that the domain virginmedia.com is on some blacklist.

If you use a display filter smtp, you'll see that such kind of rejection is not rare in the capture, from several different SMTP servers.

So now

  • if the 172...32 is your PC attempting to send this without your knowledge, it indicates that it became part of some botnet due to infection by some malware. Sending spam is just one of things the owner of the botnet can ask your PC to do, so you should visit your malware specialist immediately (and disconnect the PC from the net as the first thing),

  • if the 172...32 is your mailserver, you should take some measures similar to those used by the peer SMTP servers so that you wouldn't forward the spam sent to you by other SMTP servers.

answered 09 Feb '16, 13:24

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

It's the way of botnet. Analyzing could be find out about it.

Thank you very much.

And while going through the other streams found things to

1) What is TCP Re-transmission ?

2) [PSH, ACK] defines ?

(12 Feb '16, 04:48) Bhagya

PSH is an attribute of a TCP packet which the sender uses if it wants the recipient to immediately start handling the data received so far. Normally, the TCP stack at receiver side would accumulate the received data in a buffer and offer them to the application when the buffer is full enough (to save CPU time); reception of a packet with PSH flag set says it should offer the buffer contents to the application immediately, regardless its size. So if the communication between the client and the server is message-based, and a single protocol message (PDU, protocol data unit) uses more than one TCP packet, the last packet carrying the PDU is often sent with PSH set to 1.

A re-transmission means that a source sends again a packet which it has already sent before, because it has learnt, by explicit or implicit means, that the previously sent packet has not reached the recipient. It is not a TCP-specific behaviour.

(12 Feb '16, 05:06) sindy

So, PSH is said that to push the data immediately back to the application which requests ?

PSH flag mention that main task is to push up the receiving application data immediate ?

(12 Feb '16, 09:32) Bhagya

@Bhagya, these questions regarding TCP retransmission and meaning of PSH should have been asked as separate new Questions, as this is the idea of this site. So I'll try to clarify the PSH still here, as it seems you didn't get the point of my explanation, but please ask any additional questions (although they may be loosely related to what we have discussed here) as separate ones.

Now to the PSH: a TCP session provides a bi-directional, point-to-point communication channel over IP network. Imagine just one direction of the data transmission to consist of the following elements:

  • the sending application
  • the TCP, IP, ethernet protocol stack on the sending machine
  • the IP network
  • the ethernet, IP, TCP stack on the receiving machine
  • the receiving application.

When the sending application indicates to the sending TCP stack that the data it has just written to the sending buffer should be marked with PSH, the tcp stack sends out whatever data it currently has in its buffer, in as many packets as necessary to accommodate that data, and in the last packet sent, it sets the PSH bit. The receiving TCP stack stores any received packets' payload in its receiving buffer, and notifies the receiving application about availability of new data in that buffer based on its own decision. But if it receives a packet with PSH set, it notifies the receiving application immediately.

So no push "back" takes place. The push is in the same direction like the data itself.

(12 Feb '16, 12:22) sindy

Got it.. This was very helpful and all were went clear. Thank you for kind response.

(08 Apr '16, 08:20) Bhagya