Re: "datapool is a DoS attacks kit" message

From: Daniel Martin (dtmartin24at_private)
Date: Sun Jul 22 2001 - 18:22:11 PDT

  • Next message: Vern Paxson: "Re: My list of default.ida connection attempts"

    Ok, so I figured this out and it's cute.  (Admittedly, I'm probably
    not the only one here who can put two and two together, but...)
    
    Here's what happened:
    > fetchmail: POP3< +OK 0
    > 9 messages for steveat_private at pop.pol.net.uk (32281 octets).
    > fetchmail: POP3> LIST 
    > fetchmail: POP3< +OK 
    > fetchmail: POP3< 1 2955
    > fetchmail: POP3< 2 3288
    > fetchmail: POP3< 3 3311
    > fetchmail: POP3< 4 2609
    > fetchmail: POP3< 5 7562
    > fetchmail: POP3< 6 3124
    > fetchmail: POP3< 7 3490
    > fetchmail: POP3< 8 2619
    > fetchmail: POP3< 9 3323
    > fetchmail: POP3< .
    > fetchmail: POP3> TOP 1 99999999
    > fetchmail: POP3< +OK 
    
    All Normal so far.  This command TOP will now send the message with
    full headers.  Note that since fetchmail occasionally makes decisions
    on what to do with a message based upon the headers, it first reads
    all the headers in before connecting anywhere.
    
    > reading message 1 of 9 (2955 octets)
    > fetchmail: SMTP connect to localhost failed
    
    And here we see that fetchmail has finished reading the headers (and
    the blank line that marks the end of the headers) and attempted to
    connect to localhost.  It couldn't, so it decides to bail.  First just
    send a QUIT message to the pop server:
    
    > fetchmail: POP3> QUIT 
    
    Now read the response:
    
    > fetchmail: POP3< datapool is a DoS attacks kit
    
    Ah, but the POP server wasn't finished sending out the message yet -
    shame on fetchmail for not finishing a transaction it started.  What
    you see here is the first line of that email message that fetchmail
    was trying to retrieve.  In fact, that email message can be found at
    http://www.securityfocus.com/archive/75/198527 -- if it hadn't been
    another incidents mailing list message, I might not have figured out
    what happened.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 18:37:40 PDT