IRC -> smtp worm?

From: Joao Gouveia (tharbad@kaotik.org)
Date: 12/18/02

Next message: Ryan Yagatich: "Re: Worm on 445/tcp?"

Previous message: james: "Re: Worm on 445/tcp?"
Next in thread: Ţórhallur Hálfdánarson: "Re: IRC -> smtp worm?"
Reply: Ţórhallur Hálfdánarson: "Re: IRC -> smtp worm?"
Reply: H C: "Re: IRC -> smtp worm?"
Reply: Eric Chien: "Re: IRC -> smtp worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Joao Gouveia <tharbad@kaotik.org>
To: incidents@securityfocus.com
Date: 18 Dec 2002 02:37:08 +0000

Hello list,

Is anyone aware of some kind of IRC worm that uses SMTP servers to act
as a spy client or something like that?
While taking a look on a IDS log of a client, I saw several alerts that
were triggered and classified as "IRC traffic" directed to a SMTP server
on port 25. Nothing odd about that at a first glance, as it could be
just a simple copy/paste of a IRC log sent via mail. But on this
particular situation ( that is causing hundreds of alerts/day ), the
format of the mail is everything but "normal".
Here is a sample (IRC user data changed):
<quote>
HELO x4i8x4
RSET
MAIL FROM: <>
RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL>
</quote>

Obviously the server is responding with a "501 5.5.4 Invalid Address".
Not that i consider this a serious issue ( from the server side of
course ), but I'm curious on what's causing this behaviour.

Sorry if this is a well known issue, but i've done a some what limited
search and came up with nothing that applies.

Regards,

Joao Gouveia

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Yagatich: "Re: Worm on 445/tcp?"
Previous message: james: "Re: Worm on 445/tcp?"
Next in thread: Ţórhallur Hálfdánarson: "Re: IRC -> smtp worm?"
Reply: Ţórhallur Hálfdánarson: "Re: IRC -> smtp worm?"
Reply: H C: "Re: IRC -> smtp worm?"
Reply: Eric Chien: "Re: IRC -> smtp worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: IRC -> smtp worm?
... > Is anyone aware of some kind of IRC worm that uses SMTP servers to act ... > as a spy client or something like that? ... > were triggered and classified as "IRC traffic" directed to a SMTP server ... but I'm curious on what's causing this behaviour. ...
(Incidents)
RE: IRC -> smtp worm?
... to determining what is a valid email address. ... Subject: IRC -> smtp worm? ... Is anyone aware of some kind of IRC worm that uses SMTP servers to act ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)