Odd mail traffic

From: Jack Bristow (morriswurm_at_yahoo.com)
Date: 09/08/04

  • Next message: Shashank Rai: "Re: Systems compromised with ShellBOT perl script - part 2"
    Date: 8 Sep 2004 19:51:00 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    I recently detected some odd traffic destined for one of our mail gateways.
    Sadly, my IDS only captured part of the traffic, so I couldnt investigate as thoroughly as I would have liked. What caught my eye was the clear indication of a bounce or relay attack attempt through the mail gateway.
    The following is a sample of what was found in the reply-to field of the "mail".

    "xx.xx.xx.xx:yy|15|yes|ok|yes|Germany|no|?|no"<xx.xx.xx.xx:yy|15|yes|ok|yes|Germany|no|?|no>

    where xx.xx.xx.xx is a certain IP address and yy is a port number.
    After some research, these IP's had an open proxy listening on the corresponding port number. To me this appeared to be an attempt to bounce some data off our mail gateway at selected IP's but I have no idea what good that data does when sent to an open proxy. Also, for the various IP's I saw in the reply-to fields, the syntax of the data following the IP:Port was always the same, even though the values themselves were different.
    For example I also saw...

    "xx.xx.xx.xx:yy|250|?|not ok|?|?|?|no|no"<xx.xx.xx.xx:yy|250|?|not ok|?|?|?|no|no>

    Any ideas what is going on here?


  • Next message: Shashank Rai: "Re: Systems compromised with ShellBOT perl script - part 2"