Source Port 25?

Recently, I was asked if a new installation of Exchange 2007 could cause a spike in network traffic. I was sent some logs to review (I've hidden the full source IPs and changed the destination IP in a minor way):

The first thing I noticed was that the source port, not the destination port, was 25. SMTP uses port 25 to receive data, but does not use a static port for sending. The second thing I checked was to see what the name of the destination host was -- and it was not an Exchange server (or any other mail server).

I relayed this information back, and the workstation all of the traffic was destined to (192.169.1.1 for our purposes) was found and pulled from the network.

Lesson: Read the whole log.