Strange SMTP Garbage Flood
From: Mike Tibor (tibor@lib.uaa.alaska.edu)Date: 11/14/01
- Previous message: Nick FitzGerald: "Re: Possible DDos Network Creation with ssh crc exploit"
- Next in thread: macdaddy@neo.pittstate.edu: "Re: Strange SMTP Garbage Flood"
- Reply: macdaddy@neo.pittstate.edu: "Re: Strange SMTP Garbage Flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 13 Nov 2001 16:52:28 -0900 (AKST) From: Mike Tibor <tibor@lib.uaa.alaska.edu> To: <incidents@securityfocus.com> Subject: Strange SMTP Garbage Flood Message-ID: <Pine.LNX.4.33.0111131527170.13797-100000@asimov.lib.uaa.alaska.edu>
I'm noticing an increasing amount of weird smtp relay attempts through my
mail server. What makes these strange is that they actually don't appear
to be real relay attempts, but more like someone spitting garbage during
the RCPT TO: part of the smtp session (ie, there's no identifiable
objective that I can see, vs. a "real" relay attempt which has the obvious
objective of discovering whether my mail server is an open relay)
I've received about a hundred Postfix notifications over the past three or
four days regarding this activity, and the vast majority appear to be from
a single dialup customer from a local ISP here in Anchorage. However, a
few others were from what appeared to be a different computer (it supplied
a different name in the HELO part of session), coming from a different
Anchorage ISP.
A number of things are consistent in these messages:
1. HELO identifier is the same (with the exception noted above)
2. RSET always immediately after HELO
3. Envelope sender always blank ("MAIL FROM: <>")
4. Garbage always in RCPT TO:
5. Remote computer always drops the connection
(it never sends QUIT to end the session)
I've obscured the hostname and IP address of the remote computer
(host.isp.com[xxx.xxx.xxx.xxx])
Does this activity look familiar to anyone? I looked through my bugtraq
and incidents archives and didn't notice anything that might shed some
light.
If anyone has any insight as to what this might be, I would greatly
appreciate it.
Thanks,
Mike
-- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tibor@lib.uaa.alaska.edu http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key---------- Forwarded message ---------- Date: Mon, 12 Nov 2001 20:51:43 -0900 (AKST) From: Mail Delivery System <MAILER-DAEMON@asimov.lib.uaa.alaska.edu> To: Postmaster <postmaster@lib.uaa.alaska.edu> Subject: Postfix SMTP server: errors from host.isp.com[xxx.xxx.xxx.xxx]
Transcript of session follows.
Out: 220 asimov.lib.uaa.alaska.edu ESMTP Postfix In: HELO tmusuquen Out: 250 asimov.lib.uaa.alaska.edu In: RSET Out: 250 Ok In: MAIL FROM: <> Out: 250 Ok In: RCPT TO: <???+?0@?Q.?)~???/?$;> Out: 554 < + 0@ Q. )~ / $;>: Recipient address rejected: Relay access denied
Session aborted, reason: lost connection
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Nick FitzGerald: "Re: Possible DDos Network Creation with ssh crc exploit"
- Next in thread: macdaddy@neo.pittstate.edu: "Re: Strange SMTP Garbage Flood"
- Reply: macdaddy@neo.pittstate.edu: "Re: Strange SMTP Garbage Flood"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
