Security Incidents mailing list archives

RE: Strange SMTP sessions with 'helo=<large negative number>' syntax

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 29 Dec 2005 14:39:00 -0800

  Little-endian versus big-endian?  There's no end to the
possible bugs....

Dave

-----Original Message-----
From: Michel Arboi [mailto:michel.arboi () gmail com] 
Sent: Thursday, December 29, 2005 1:01 AM
To: max
Cc: incidents () securityfocus com
Subject: Re: Strange SMTP sessions with 'helo=<large negative 
number>' syntax

On 28/12/05, max <max () neuropunks org> wrote:

to=<dylanfans-unsubscribe () dylanirvana com> proto=SMTP 
helo=<-1217882552> Notice that helo section is a negative number 
(which is why my postfix rejects the message)


Spammers sometimes hide IP addresses (in URL) by using a 32 
bits integer. And also that they often use buggy tools.<grin> 
Maybe they tried to use this trick in the HELO command?

-1217882552+2^32 = 3077084744 = 183.104.150.72
-1218008120+2^32 = 3076959176 = 183.102.171.200
Both addresses seems to be unassigned, my hypothesis looks wrong :-(

Has anyone noticed this as well?


I don't have this in my logs.

Current thread:

Strange SMTP sessions with 'helo=<large negative number>' syntax max (Dec 28)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax mis (Dec 29)
  - Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Mike Davis (Dec 29)
    - Re: Strange SMTP sessions with 'helo=<large negative number>' syntax mis (Dec 29)
    - Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Paolo Scarabelli (Dec 30)
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Michel Arboi (Dec 29)
  - RE: Strange SMTP sessions with 'helo=<large negative number>' syntax David Gillett (Dec 30)