On Tue, 13 Nov 2001, Mike Tibor wrote:

> I'm noticing an increasing amount of weird smtp relay attempts through my
> mail server. What makes these strange is that they actually don't appear
> to be real relay attempts, but more like someone spitting garbage during
> the RCPT TO: part of the smtp session (ie, there's no identifiable
> objective that I can see, vs. a "real" relay attempt which has the obvious
> objective of discovering whether my mail server is an open relay)
>
> I've received about a hundred Postfix notifications over the past three or
> four days regarding this activity, and the vast majority appear to be from
> a single dialup customer from a local ISP here in Anchorage. However, a
> few others were from what appeared to be a different computer (it supplied
> a different name in the HELO part of session), coming from a different
> Anchorage ISP.
>
> A number of things are consistent in these messages:
>
> 1. HELO identifier is the same (with the exception noted above)
> 2. RSET always immediately after HELO
> 3. Envelope sender always blank ("MAIL FROM: <>")
> 4. Garbage always in RCPT TO:
> 5. Remote computer always drops the connection
> (it never sends QUIT to end the session)
>
> I've obscured the hostname and IP address of the remote computer
> (host.isp.com[xxx.xxx.xxx.xxx])
>
> Does this activity look familiar to anyone? I looked through my bugtraq
> and incidents archives and didn't notice anything that might shed some
> light.
>
> If anyone has any insight as to what this might be, I would greatly
> appreciate it.

Mike,
        I believe I know exactly what this is. I've seen a great deal of
similar activity and have for a long while. What I usually see are
numerous lines line this in my maillog:

Nov 4 07:43:15 oak sendmail[1453]: fA4DhFR01453:
<BIG-MUSCLEoscarcam....</a>... Unbalanced '<'

or

Nov 4 09:32:47 oak sendmail[8612]: fA4FWiR08612:
<H6g^U"CuQ^TtB}^K^[u/wkihWz\177?.3<Z,cTxe.C.^Q!`^U >... Unbalanced '<'

Each one accompanies a bounce to postmaster. The guts of that bounce
contain the Snow White and the Seven Dwarfs text that we're all too
familiar with. I believe what you're seeing is the same thing. The side
effects of clients infected with Hybris. Have that user disenfect their
machine and I bet this will stop (at least from them).

Justin

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]