Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IRC -> smtp worm?

From: "Scott Phelps" <scottp () dreamwright com>
Date: Thu, 9 Jan 2003 14:43:49 -0500

        Several email viruses try to locate email addresses within text files on
the victims computer, the viruses are usually not too bright when it comes
to determining what is a valid email address. the @ sign followed by
something with a dot in it was probably enough for this particular virus to
identify that string as an email, and to attempt send a copy of itself
there.

Scott Phelps
Dreamwright Studios


-----Original Message-----
From: Joao Gouveia [mailto:tharbad () kaotik org]
Sent: Tuesday, December 17, 2002 9:37 PM
To: incidents () securityfocus com
Subject: IRC -> smtp worm?


Hello list,

Is anyone aware of some kind of IRC worm that uses SMTP servers to act
as a spy client or something like that?
While taking a look on a IDS log of a client, I saw several alerts that
were triggered and classified as "IRC traffic" directed to a SMTP server
on port 25. Nothing odd about that at a first glance, as it could be
just a simple copy/paste of a IRC log sent via mail. But on this
particular situation ( that is causing hundreds of alerts/day ), the
format of the mail is everything but "normal".
Here is a sample (IRC user data changed):
<quote>
HELO x4i8x4
RSET
MAIL FROM: <>
RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL>
</quote>

Obviously the server is responding with a "501 5.5.4 Invalid Address".
Not that i consider this a serious issue ( from the server side of
course ), but I'm curious on what's causing this behaviour.

Sorry if this is a well known issue, but i've done a some what limited
search and came up with nothing that applies.

Regards,

Joao Gouveia


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: