Security Incidents mailing list archives
Re: Strange SMTP sessions with 'helo=<large negative number>' syntax
From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Mon, 2 Jan 2006 14:05:52 -0500
Hello some more info on ip address conversion : http://www.pc-help.org/obscure.htm http://gregsearle.tripod.com/spam_tech.html Web tool to do conversion : http://www.csgnetwork.com/ipaddconv.html for the reason about the negative number i dont have a clue, maybe a bug in their spam application ? Happy new year to SF members ! Maxime Ducharme ----- Original Message ----- From: "Paolo Scarabelli" <paolo () msw it> To: "Mike Davis" <mdavis () imperfectnetworks com> Cc: <mis () seiden com>; "max" <max () neuropunks org>; <incidents () securityfocus com> Sent: Thursday, December 29, 2005 9:49 PM Subject: Re: Strange SMTP sessions with 'helo=<large negative number>' syntax
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, I remember we were doing this in Singapore a few years back to reach some of the website that were blocked by the provider's proxy, it was just a matter of converting an IP number (which is a 4 bytes word) to the equivalent 32 bit integer. Something like: black.box.sk => 66.250.131.132 => 0x42F48384 => 1123320708 I don't know if it works on IE anymore, on Firefox and Konqueror it
doesn't.
Regards, Paolo. Mike Davis wrote:hehe, didnt even notice max untill i hit reply... the this be a screwy way to get some poor implementation of gethostbyname() (windows?) to interpret as an ip address? i vaguely recall an ie flaw a few years back doing something similar to disguise urls.. but i think they were removing dots like this: http://19216818/pornsite.html dont remember -phar On Thu, 2005-12-29 at 00:33 -0800, mis () seiden com wrote:this has been going on for weeks. i believe they're all open proxies or spambots. (some of us use this as an oracle for open proxies.) On Wed, Dec 28, 2005 at 04:39:14PM -0500, max wrote:Hello all, I find this inmy logs throughout the day today: Dec 28 16:35:52 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from
pcp0012209034pcs.blairblvd.tn.nash.comcast.net[69.245.57.210]: 501 <-1217882552>: Helo command rejected: Invalid name; from=<shuu () grandlakeindexing com> to=<dylanfans-unsubscribe () dylanirvana com> proto=SMTP helo=<-1217882552>
Notice that helo section is a negative number (which is why my postfix
rejects the message)
There are about 5 messages a minute at its peak, and this has been
going on most of the day today (EST time zone)
Some of the connecting IP's are listed in various black lists, such as
OPM.
Has anyone noticed this as well? Is this a virus or just some new spam
tool?
Some more rejected messages below: Dec 28 16:37:50 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from
cpe-66-75-65-130.socal.res.rr.com[66.75.65.130]: 501 <-1218008120>: Helo command rejected: Invalid name; from=<Laudat () gma-consulting-fr com> to=<dylanfans-unsubscribe () dylanirvana com> proto=SMTP helo=<-1218008120>
Dec 28 16:37:54 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from
unknown[219.130.49.89]: 554 Service unavailable; Client host [219.130.49.89] blocked using opm.blitzed.org; Open proxy - see http://opm.blitzed.org/219.130.49.89; from=<burkel () greenacresmortgage com> to=<max () neuropunks org> proto=SMTP helo=<-1209697480>
Dec 28 16:38:10 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from
194-144-9-218.du.xdsl.is[194.144.9.218]: 501 <-1209697480>: Helo command rejected: Invalid name; from=<brenno () grandslamtennistours com> to=<max () neuropunks org> proto=SMTP helo=<-1209697480>
Thanks, Max-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDtKAqqAaEpZvj+VMRAkVgAKCJ2qGHtRSC/k8azkfswBC+qfALDQCfZYEi lajhPf57AheuEMKZ0UqmO4E= =sBNt -----END PGP SIGNATURE-----
Current thread:
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax Maxime Ducharme (Jan 03)