Re: Strange SMTP sessions with 'helo=<large negative number>' syntax



On 28/12/05, max <max@xxxxxxxxxxxxxx> wrote:
> to=<dylanfans-unsubscribe@xxxxxxxxxxxxxxx> proto=SMTP helo=<-1217882552>
> Notice that helo section is a negative number (which is why my postfix rejects the message)

Spammers sometimes hide IP addresses (in URL) by using a 32 bits
integer. And also that they often use buggy tools.<grin>
Maybe they tried to use this trick in the HELO command?

-1217882552+2^32 = 3077084744 = 183.104.150.72
-1218008120+2^32 = 3076959176 = 183.102.171.200
Both addresses seems to be unassigned, my hypothesis looks wrong :-(

> Has anyone noticed this as well?

I don't have this in my logs.



Relevant Pages

  • Strange SMTP sessions with helo= syntax
    ... I find this inmy logs throughout the day today: ... Notice that helo section is a negative number (which is why my postfix rejects the message) ... Prev by Date: ...
    (Incidents)
  • Re: 4CH Electric RC Helicopter for $83
    ... Let's see you helo guys do this in your Jet Ranger. ... (Remotely controlled weed whacker?) ... Prev by Date: ...
    (rec.aviation.piloting)
  • Re: PengVanChan
    ... Helo DJ Xay Gnarm BaoLao! ... Can I have Paeng Sao Sexy! ... Prev by Date: ...
    (soc.culture.laos)
  • Re: unable to receive emails from some domains
    ... but the SMTP connector is usually set up to send messages. ... I could select HELO. ... Prev by Date: ...
    (microsoft.public.exchange.admin)
  • Re: how to block these connections?
    ... >>how do I block the following HELO connections in Exchange 2003? ... >>Because they are either virus or spam I don't even want them to connect to ... > I use Postfix to deal with this. ...
    (microsoft.public.exchange.admin)