Security Incidents mailing list archives
RE: Strange SMTP sessions with 'helo=<large negative number>' syntax
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 29 Dec 2005 14:39:00 -0800
Little-endian versus big-endian? There's no end to the possible bugs.... Dave
-----Original Message----- From: Michel Arboi [mailto:michel.arboi () gmail com] Sent: Thursday, December 29, 2005 1:01 AM To: max Cc: incidents () securityfocus com Subject: Re: Strange SMTP sessions with 'helo=<large negative number>' syntax On 28/12/05, max <max () neuropunks org> wrote:to=<dylanfans-unsubscribe () dylanirvana com> proto=SMTP helo=<-1217882552> Notice that helo section is a negative number (which is why my postfix rejects the message)Spammers sometimes hide IP addresses (in URL) by using a 32 bits integer. And also that they often use buggy tools.<grin> Maybe they tried to use this trick in the HELO command? -1217882552+2^32 = 3077084744 = 183.104.150.72 -1218008120+2^32 = 3076959176 = 183.102.171.200 Both addresses seems to be unassigned, my hypothesis looks wrong :-(Has anyone noticed this as well?I don't have this in my logs.
Current thread:
- Strange SMTP sessions with 'helo=<large negative number>' syntax max (Dec 28)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax mis (Dec 29)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Mike Davis (Dec 29)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax mis (Dec 29)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Paolo Scarabelli (Dec 30)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Mike Davis (Dec 29)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Michel Arboi (Dec 29)
- RE: Strange SMTP sessions with 'helo=<large negative number>' syntax David Gillett (Dec 30)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax mis (Dec 29)