You could use FakeDNS and MailPot to maybe capture what happens after
the connection is created. here is the link to the tools. I haven't
used them, but I know they can be used for things like this.

On 2/1/07, Paul D. Robertson wrote:
> On Thu, 1 Feb 2007, Brian Loe wrote:
> > One of our support technician's machines is attempting to connect to
> > random IP addresses on port 25 - in a pretty needy fashion. He says
> > he's scanned the box with the latest updates from McAffee and it
> > hasn't found anything.
> >
> > We discovered it because one of my basic (meaning I got it off the
> > 'Net) rules for SEC flagged it as a possible PHEL trojan.
> >
> > Any thoughts?

> See what process keeps opening sockets?
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> which may have no basis whatsoever in fact."
> _______________________________________________
> firewall-wizards mailing list

If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology.
Bruce Schneier
firewall-wizards mailing list