Logwatch explained

[stevenriz]

Hi, can someone help me to know exactly what is going on here? From what I understand, this really isn't a problem, but I thought I'd run it by the experts

Our daily logwatch email shows the following packets hitting port 25. Is this a problem? should I block these IP addresses from iptables? How many packets is a lot? I don't see 20000 being a whole heck of a lot. Should we be concerned? Could they be remote users retrieving their email??
Thanks!

------------------ Kernel Begin ------------------------
Logged 21354 packets on interface eth0
From 4.78.204.162 - 165 packets to tcp(25)
From 63.123.248.14 - 76 packets to tcp(25)
From 63.123.248.24 - 21 packets to tcp(25)
From 198.104.156.37 - 20985 packets to tcp(25)
From 211.179.169.3 - 107 packets to tcp(25)
--------------------- Kernel End -----------------------

 

[mrballcb]

It's not remote users retrieving their mail, that would use pop or imap (assuming unencrypted) which uses ports 110 and 143 respectively.

This just means that someone connected to your sendmail and sent you emails. Who are they? Well 3 of the IP's don't resolve, but 2 of them do:

smtp1 mail # host 4.78.204.162
162.204.78.4.in-addr.arpa is an alias for 162.160-167.204.78.4.in-addr.arpa.
162.160-167.204.78.4.in-addr.arpa domain name pointer NAT.sb.corp.valueclick.com.
smtp1 mail # host 198.104.156.37
37.156.104.198.in-addr.arpa domain name pointer outbound.shareasale.com.

So those two people sent you email that your server accepted.

Overall I would say it's probably not a lot to worry about. It just means that you are receiving mail.

Now if you see a site that has 100000000 packets to tcp(25), then I would be very worried. As it stands now, I don't see anything bad in that summary.