Re: Strange SMTP Garbage Flood

[<macdaddy () neo pittstate edu>]

On Tue, 13 Nov 2001, Mike Tibor wrote:

> I'm noticing an increasing amount of weird smtp relay attempts through my
> mail server.  What makes these strange is that they actually don't appear
> to be real relay attempts, but more like someone spitting garbage during
> the RCPT TO: part of the smtp session (ie, there's no identifiable
> objective that I can see, vs. a "real" relay attempt which has the obvious
> objective of discovering whether my mail server is an open relay)
>
> I've received about a hundred Postfix notifications over the past three or
> four days regarding this activity, and the vast majority appear to be from
> a single dialup customer from a local ISP here in Anchorage.  However, a
> few others were from what appeared to be a different computer (it supplied
> a different name in the HELO part of session), coming from a different
> Anchorage ISP.
>
> A number of things are consistent in these messages:
>
>   1.  HELO identifier is the same (with the exception noted above)
>   2.  RSET always immediately after HELO
>   3.  Envelope sender always blank ("MAIL FROM: <>")
>   4.  Garbage always in RCPT TO:
>   5.  Remote computer always drops the connection
>       (it never sends QUIT to end the session)
>
> I've obscured the hostname and IP address of the remote computer
> (host.isp.com[xxx.xxx.xxx.xxx])
>
> Does this activity look familiar to anyone?  I looked through my bugtraq
> and incidents archives and didn't notice anything that might shed some
> light.
>
> If anyone has any insight as to what this might be, I would greatly
> appreciate it.

Mike,
        I believe I know exactly what this is.  I've seen a great deal of
similar activity and have for a long while.  What I usually see are
numerous lines line this in my maillog:

Nov  4 07:43:15 oak sendmail[1453]: fA4DhFR01453:
<BIG-MUSCLE@oscarcam....</a>... Unbalanced '<'

or 

Nov  4 09:32:47 oak sendmail[8612]: fA4FWiR08612:
<H6g^U"C@uQ^TtB}^K^[u/wkihWz\177?.3<Z,cTxe.C.^Q!`^U >... Unbalanced '<'

Each one accompanies a bounce to postmaster.  The guts of that bounce
contain the Snow White and the Seven Dwarfs text that we're all too
familiar with.  I believe what you're seeing is the same thing.  The side
effects of clients infected with Hybris.  Have that user disenfect their
machine and I bet this will stop (at least from them).

Justin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com