Security Incidents mailing list archives
Re: HELO/EHLP attack?.
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Fri, 4 Aug 2000 18:59:39 +0200
On Fri, 4 Aug 2000, Ryan Yagatich wrote:
don't quote me on this but, it looks to me like someone had just connected to the SMTP daemon and just initialized the connection, and then killed it right after. was there anything else in the logs before/after? (like commands that were issued etc...) if not, set your log level up a bit to grab more information and see.
Nah, it's more likely an ancient Sendmail vulnerability found by me (see BUGTRAQ archives) with extremely long EHLO / HELO parameter; it allows attacker to hide his hostname and IP in SMTP headers (it has been fixed in 8.8.8, I think, and this log message has been introduced). Possibly spammers. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- HELO/EHLP attack?. Lic. Rodolfo Gonzalez Gonzalez (Aug 03)
- Re: HELO/EHLP attack?. Ryan Yagatich (Aug 04)
- Re: HELO/EHLP attack?. Valdis Kletnieks (Aug 07)
- Re: HELO/EHLP attack?. Michal Zalewski (Aug 07)
- dos from .kr, plus some classic .kr irresponsibility Jason Storm (Aug 07)
- Re: dos from .kr, plus some classic .kr irresponsibility Russell Fulton (Aug 08)
- Re: dos from .kr, plus some classic .kr irresponsibility Maddy (Aug 09)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 09)
- Re: dos from .kr, plus some classic .kr irresponsibility Jose Nazario (Aug 10)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
- Re: HELO/EHLP attack?. Ryan Yagatich (Aug 04)
- <Possible follow-ups>
- Re: HELO/EHLP attack?. Michal 'CeFeK' Nazarewicz (Aug 08)