my isp notified me that they were seeing smtp traffic with the W32/Mytob-BEvirus coming from the public interface of one of my bordermanager servers. they showed me the logs. i did a packet capture on this server it i see what seems to be strange smtp traffic that shouldn't be there, but don't understand why.

my filter exceptions are rather restrictive. i have two smtp exceptions. they are both stateful. one is outbound gwia private to public with a source address of GWIA. the second is gwia inbound public to private with a destination of GWIA.

the odd traffic appears to be coming from workstation addresses and going directly to real world addresses, but they are all smtp-syn packets.

Netware 6.5.4, BM 3.8.4, bm38sp4_ir1, tcp661e

any suggestions?