Security Incidents mailing list archives
Strange SMTP Garbage Flood
From: Mike Tibor <tibor () lib uaa alaska edu>
Date: Tue, 13 Nov 2001 16:52:28 -0900 (AKST)
I'm noticing an increasing amount of weird smtp relay attempts through my mail server. What makes these strange is that they actually don't appear to be real relay attempts, but more like someone spitting garbage during the RCPT TO: part of the smtp session (ie, there's no identifiable objective that I can see, vs. a "real" relay attempt which has the obvious objective of discovering whether my mail server is an open relay) I've received about a hundred Postfix notifications over the past three or four days regarding this activity, and the vast majority appear to be from a single dialup customer from a local ISP here in Anchorage. However, a few others were from what appeared to be a different computer (it supplied a different name in the HELO part of session), coming from a different Anchorage ISP. A number of things are consistent in these messages: 1. HELO identifier is the same (with the exception noted above) 2. RSET always immediately after HELO 3. Envelope sender always blank ("MAIL FROM: <>") 4. Garbage always in RCPT TO: 5. Remote computer always drops the connection (it never sends QUIT to end the session) I've obscured the hostname and IP address of the remote computer (host.isp.com[xxx.xxx.xxx.xxx]) Does this activity look familiar to anyone? I looked through my bugtraq and incidents archives and didn't notice anything that might shed some light. If anyone has any insight as to what this might be, I would greatly appreciate it. Thanks, Mike -- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tibor () lib uaa alaska edu http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key ---------- Forwarded message ---------- Date: Mon, 12 Nov 2001 20:51:43 -0900 (AKST) From: Mail Delivery System <MAILER-DAEMON () asimov lib uaa alaska edu> To: Postmaster <postmaster () lib uaa alaska edu> Subject: Postfix SMTP server: errors from host.isp.com[xxx.xxx.xxx.xxx] Transcript of session follows. Out: 220 asimov.lib.uaa.alaska.edu ESMTP Postfix In: HELO tmusuquen Out: 250 asimov.lib.uaa.alaska.edu In: RSET Out: 250 Ok In: MAIL FROM: <> Out: 250 Ok In: RCPT TO: <???+?0@?Q.?)~???/?$;> Out: 554 < + 0@ Q. )~ / $;>: Recipient address rejected: Relay access denied Session aborted, reason: lost connection ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange SMTP Garbage Flood Mike Tibor (Nov 13)
- Re: Strange SMTP Garbage Flood macdaddy (Nov 13)
- Re: Strange SMTP Garbage Flood Duncan Simpson (Nov 14)
- Re: Strange SMTP Garbage Flood Johannes Verelst (Nov 14)
- Re: Strange SMTP Garbage Flood Duncan Simpson (Nov 14)
- Re: Strange SMTP Garbage Flood macdaddy (Nov 13)