Wireshark-users: Re: [Wireshark-users] Network Delay (SMTP)

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 30 Oct 2013 09:52:12 -0400
On 10/30/13 09:30, Roman Gelfand wrote:
Looking at the tcp stream, below, of a smtp conversation, it appears
there is 5 second delay before the actual smtp conversation begins.
Is this normal behavior.  If not, any ideas what/where specifically,
Any ideas of what are the next wireshark diagnostic tools I should be
using to further identify the problem.

15047 02:57:33.441270000 192.168.0.209 192.168.0.239 TCP 66 54398 >
smtp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
15048 02:57:33.441494000 192.168.0.239 192.168.0.209 TCP 66 smtp >
54398 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1
WS=16
15049 02:57:33.441515000 192.168.0.209 192.168.0.239 TCP 54 54398 >
smtp [ACK] Seq=1 Ack=1 Win=65700 Len=0
15237 02:57:38.461112000 192.168.0.239 192.168.0.209 SMTP 97 S: 220
pmx1.mydomain.biz ESMTP Postfix

Delaying the greeting is a SPAM-prevention technique I read about years ago. Took me a while to find a reference, but here's one:

http://tldp.org/HOWTO/Spam-Filtering-for-MX/smtpdelays.html

Basically the idea is that most SPAM-sending software is lazy (and in a hurry) so it doesn't follow the protocol. Rather than waiting for the server to send its greeting, they simply connect and start sending emails. By putting a delay in the greeting, the server can determine whether the client is even attempting to follow the protocol (if it's not, chances are it doesn't want to be talking to it...).