Security Incidents mailing list archives

Re: IRC -> smtp worm?

From: Eric Chien <ecchien () yahoo com>
Date: Wed, 18 Dec 2002 10:53:31 -0800 (PST)

--- Joao Gouveia <tharbad () kaotik org> wrote:

Here is a sample (IRC user data changed):
<quote>
HELO x4i8x4
RSET
MAIL FROM: <>
RCPT TO: <mask!__@69.69.69.69 PRIVMSG #channel :LOL>
</quote>


Could be one of the many standard SMTP worms that
parse text and html files looking for email addresses.
 The routines that do so are relatively 'inaccurate'
as they may just search for the @ symbol.

And in this case, it may have hit upon an IRC log and
didn't quite parse out the email address properly (or
realize they weren't actually email addresses at all).

...Eric

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

IRC -> smtp worm? Joao Gouveia (Dec 18)
- Re: IRC -> smtp worm? Þórhallur Hálfdánarson (Dec 18)
- Re: IRC -> smtp worm? H C (Dec 18)
- Re: IRC -> smtp worm? Eric Chien (Dec 18)