Odd mail traffic

• Previous message: Kirby Angell: "Re: Systems compromised with ShellBOT perl script - part 2"
• Next in thread: David Gillett: "Wireless router behaviour"
• Reply: David Gillett: "Wireless router behaviour"
• Reply: Andrew Smith: "Re: Odd mail traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 8 Sep 2004 19:51:00 -0000
To: incidents@securityfocus.com

I recently detected some odd traffic destined for one of our mail gateways.
Sadly, my IDS only captured part of the traffic, so I couldnt investigate as thoroughly as I would have liked. What caught my eye was the clear indication of a bounce or relay attack attempt through the mail gateway.
The following is a sample of what was found in the reply-to field of the "mail".

"xx.xx.xx.xx:yy|15|yes|ok|yes|Germany|no|?|no"<xx.xx.xx.xx:yy|15|yes|ok|yes|Germany|no|?|no>

where xx.xx.xx.xx is a certain IP address and yy is a port number.
After some research, these IP's had an open proxy listening on the corresponding port number. To me this appeared to be an attempt to bounce some data off our mail gateway at selected IP's but I have no idea what good that data does when sent to an open proxy. Also, for the various IP's I saw in the reply-to fields, the syntax of the data following the IP:Port was always the same, even though the values themselves were different.
For example I also saw...

"xx.xx.xx.xx:yy|250|?|not ok|?|?|?|no|no"<xx.xx.xx.xx:yy|250|?|not ok|?|?|?|no|no>

Any ideas what is going on here?

• Previous message: Kirby Angell: "Re: Systems compromised with ShellBOT perl script - part 2"
• Next in thread: David Gillett: "Wireless router behaviour"
• Reply: David Gillett: "Wireless router behaviour"
• Reply: Andrew Smith: "Re: Odd mail traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]