On Sat, 25 May 2002 21:41:36 +0200, David GLAUDE Mailing <dglaudemailinggmx.net> said:

> Typicaly when a human is typing protocol command,
> you might expect slow communication,

which you also see when the other end of the connection is at the far
end of a congested link...

> use of backspace ^H ;-),

Actually, you probably WONT see this often, unless you have a stupid
telnet client - many/most telnet clients will default to "line at a time" mode
if connecting to a port other than 23, so it won't send a ^H unless his
system doesn't recognize ^H as a local editing character...

> minimal info (like no useless field in SMTP, ...).

Actually, it would be *MORE* suspicious if you *DO* see a "useless" field.
For instance, Sendmail (which I think I know something about ;) doesn't send
every possible option. For instance, it doesn't pass the ENVID= option on
the SMTP MAIL FROM unless a DSN has been requested by the sender....

Actually, I take it back - I *DO* see ^H in SMTP transactions on a regular
basis. Unfortunately, it's not indicative of intruders. It's indicative
of broken Pacific-rim spamware (usually Korean, sometimes Chinese) that
doesn't understand that RFC821/822 is ASCII-oriented, and that RFC2147 exists
for a reason. ;)

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001

iD8DBQE88S43cC3lWbTT17ARArSLAJ0RiqbgjLlTrOHwnxIbS6p5o1z//gCcDvXY SL3sKHNQncPfA2xgNhDBmLw= =NTue -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]