Re: IRC -> smtp worm?

[Þórhallur Hálfdánarson <tolli () tol li>]

-*- Joao Gouveia <tharbad () kaotik org> [ 2002-12-18 15:51 ]:
> Hello list,
>
> Is anyone aware of some kind of IRC worm that uses SMTP servers to act
> as a spy client or something like that?
> While taking a look on a IDS log of a client, I saw several alerts that
> were triggered and classified as "IRC traffic" directed to a SMTP server
> on port 25. Nothing odd about that at a first glance, as it could be
> just a simple copy/paste of a IRC log sent via mail. But on this
> particular situation ( that is causing hundreds of alerts/day ), the
> format of the mail is everything but "normal".
> Here is a sample (IRC user data changed):
> <quote>
> HELO x4i8x4
> RSET
> MAIL FROM: <>
> RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL>
> </quote>
>
> Obviously the server is responding with a "501 5.5.4 Invalid Address".
> Not that i consider this a serious issue ( from the server side of
> course ), but I'm curious on what's causing this behaviour.
>
> Sorry if this is a well known issue, but i've done a some what limited
> search and came up with nothing that applies.

IIRC, this was very common when Hybris was at it's best.  It catpures snippets from IRC traffic on a client computer, 
interprets it as an email address and tries to send mail to that "address".



-- 
Regards,
Tolli
tolli () tol li

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com