Petkoa   985 pts.  |   Jun 11 2009  3:38PM GMT

Hi,

May be there is a quite legitimate reason for the redhat box to send mail (”smtp packets”) - e.g., a cron job is outputting somthing, this automatically is mailed to the user to whom the cron job belongs. Generally, you can recognize this kind of activity by its periodicity - but not always, e.g. job running every hour, but outputting some information on irregular basis…

Then, netstat will not be very useful in your case - either you have the mailer daemon running (which is normal) and port 25 is open all the time, or your “offending” process (or legitimate cron) is starting mailer when it is needed - which is hardly predictable, as I discussed earlier.

I am not really sure what to advice - may be, you’ll inspect maillogs; if cron or some other legitimate job is the culprit, they will not hide their mailings from logging; otherwise, set a “mail proxy” on the firewall, which intercepts this mailing activity (and may be run ident daemon on the redhat box so to give more information about the sending user) and inspect the mails.

Good luck,

Petko

Gnsc   20 pts.  |   Jun 12 2009  7:02PM GMT

What software is running on the RH box???

Try running Wireshark or another packet sniffer either inline to the PC or via a span port on the PC’s switch. It should capture not only the activity but the packets themselves so they can be reviewed. This will also show you if there is a pattern to the traffic. Look at the destination of the packets for a clue. Look at the packets to see if they really are SMTP or just spurious stuff talking to port 25. Best way to solve a problem is have as much info as possible. This is the starting point.