Re: IRC -> smtp worm?

From: Ţórhallur Hálfdánarson (tolli@tol.li)
Date: 12/18/02

Next message: H C: "Re: IRC -> smtp worm?"

Previous message: horape@tinuviel.compendium.net.ar: "abuse of open transparent proxies"
In reply to: Joao Gouveia: "IRC -> smtp worm?"
Next in thread: H C: "Re: IRC -> smtp worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 18 Dec 2002 16:45:51 +0000
From: Ţórhallur Hálfdánarson <tolli@tol.li>
To: Joao Gouveia <tharbad@kaotik.org>

-*- Joao Gouveia <tharbad@kaotik.org> [ 2002-12-18 15:51 ]:
> Hello list,
>
> Is anyone aware of some kind of IRC worm that uses SMTP servers to act
> as a spy client or something like that?
> While taking a look on a IDS log of a client, I saw several alerts that
> were triggered and classified as "IRC traffic" directed to a SMTP server
> on port 25. Nothing odd about that at a first glance, as it could be
> just a simple copy/paste of a IRC log sent via mail. But on this
> particular situation ( that is causing hundreds of alerts/day ), the
> format of the mail is everything but "normal".
> Here is a sample (IRC user data changed):
> <quote>
> HELO x4i8x4
> RSET
> MAIL FROM: <>
> RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL>
> </quote>
>
> Obviously the server is responding with a "501 5.5.4 Invalid Address".
> Not that i consider this a serious issue ( from the server side of
> course ), but I'm curious on what's causing this behaviour.
>
> Sorry if this is a well known issue, but i've done a some what limited
> search and came up with nothing that applies.

IIRC, this was very common when Hybris was at it's best. It catpures snippets from IRC traffic on a client computer, interprets it as an email address and tries to send mail to that "address".

-- 
Regards,
Tolli
tolli@tol.li
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: IRC -> smtp worm?"
Previous message: horape@tinuviel.compendium.net.ar: "abuse of open transparent proxies"
In reply to: Joao Gouveia: "IRC -> smtp worm?"
Next in thread: H C: "Re: IRC -> smtp worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

IRC -> smtp worm?
... Is anyone aware of some kind of IRC worm that uses SMTP servers to act ... as a spy client or something like that? ... but I'm curious on what's causing this behaviour. ...
(Incidents)
RE: IRC -> smtp worm?
... to determining what is a valid email address. ... Subject: IRC -> smtp worm? ... Is anyone aware of some kind of IRC worm that uses SMTP servers to act ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_
... What do FTP numeric responses have to do with IRC and an IRC ... Firewall thinks this is IRC protocol connection, HTTP client thinks it is ... first line from the server no matter how it looks like. ...
(Bugtraq)
Re: [9fans] plan 9 IRC client
... > what do people use for an IRC client under plan 9? ... posting the resulting dialogue to ...
(comp.os.plan9)
Re: OT: irc, irc clients, sunshine. (was Re: [opensuse] Demand for a KDE 3 LiveCD?)
... The program "chat" is a console thing and is very old, ... that IRC is as old as that. ... Now, I do have "xchat". ... theoreticaly doable directly by a human using merely a telnet client, ...
(SuSE)