Security Incidents mailing list archives

IRC -> smtp worm?

From: Joao Gouveia <tharbad () kaotik org>
Date: 18 Dec 2002 02:37:08 +0000

Hello list,

Is anyone aware of some kind of IRC worm that uses SMTP servers to act
as a spy client or something like that?
While taking a look on a IDS log of a client, I saw several alerts that
were triggered and classified as "IRC traffic" directed to a SMTP server
on port 25. Nothing odd about that at a first glance, as it could be
just a simple copy/paste of a IRC log sent via mail. But on this
particular situation ( that is causing hundreds of alerts/day ), the
format of the mail is everything but "normal".
Here is a sample (IRC user data changed):
<quote>
HELO x4i8x4
RSET
MAIL FROM: <>
RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL>
</quote>

Obviously the server is responding with a "501 5.5.4 Invalid Address".
Not that i consider this a serious issue ( from the server side of
course ), but I'm curious on what's causing this behaviour.

Sorry if this is a well known issue, but i've done a some what limited
search and came up with nothing that applies.

Regards,

Joao Gouveia


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

IRC -> smtp worm? Joao Gouveia (Dec 18)
- Re: IRC -> smtp worm? Þórhallur Hálfdánarson (Dec 18)
- Re: IRC -> smtp worm? H C (Dec 18)
- Re: IRC -> smtp worm? Eric Chien (Dec 18)