We've been battling some bandwidth issues at my company lately and so we've done extensive scouring of our Cisco ASA logs to try and find the source(s) of the problem. Over the weekend I ran into this little gem:
2014-03-22 12:14:13 Local4.Warning 10.100.20.1 %ASA-4-106023: Deny tcp src Lan1:10.100.20.74/49353 dst HSInternet:209.134.48.10/25 by access-group "Lan1_access_in" [0xb0069b3c, 0x0]
This is an entry in our firewall's syslog that shows that one of my domain controllers (10.100.20.74 in the example) is attempting, unsuccessfully, to connect to an outside SMTP server at the address 209.134.48.10 on port 25 (we only recently closed this type of connection on our network, so previous connections may have been successful). We have no software installed that would be making SMTP connections anywhere, and I've scanned the machine thoroughly looking for malware or viruses or rootkits. All this machine does is AD domain services, DHCP, and DNS. It has no third party software installed, and never has.
The IP 209.134.48.10 has a reverse DNS entry of df7yjcp1.redplaid.com, and I hooked to it using telnet to confirm that it is indeed an SMTP server. Redplaid seems to be some hosting company based out of Missouri, but beyond that I have no additional information on the company.
Does anyone have any idea why my global catalog is making SMTP connections to a seemingly random server on the internet?