Strange SMTP Garbage Flood

From: Mike Tibor (tiborat_private)
Date: Tue Nov 13 2001 - 17:52:28 PST

Next message: macdaddyat_private: "Re: Strange SMTP Garbage Flood"

Previous message: Nick FitzGerald: "Re: Possible DDos Network Creation with ssh crc exploit"
Next in thread: macdaddyat_private: "Re: Strange SMTP Garbage Flood"
Reply: macdaddyat_private: "Re: Strange SMTP Garbage Flood"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm noticing an increasing amount of weird smtp relay attempts through my
mail server.  What makes these strange is that they actually don't appear
to be real relay attempts, but more like someone spitting garbage during
the RCPT TO: part of the smtp session (ie, there's no identifiable
objective that I can see, vs. a "real" relay attempt which has the obvious
objective of discovering whether my mail server is an open relay)

I've received about a hundred Postfix notifications over the past three or
four days regarding this activity, and the vast majority appear to be from
a single dialup customer from a local ISP here in Anchorage.  However, a
few others were from what appeared to be a different computer (it supplied
a different name in the HELO part of session), coming from a different
Anchorage ISP.

A number of things are consistent in these messages:

  1.  HELO identifier is the same (with the exception noted above)
  2.  RSET always immediately after HELO
  3.  Envelope sender always blank ("MAIL FROM: <>")
  4.  Garbage always in RCPT TO:
  5.  Remote computer always drops the connection
      (it never sends QUIT to end the session)

I've obscured the hostname and IP address of the remote computer
(host.isp.com[xxx.xxx.xxx.xxx])

Does this activity look familiar to anyone?  I looked through my bugtraq
and incidents archives and didn't notice anything that might shed some
light.

If anyone has any insight as to what this might be, I would greatly
appreciate it.

Thanks,
Mike
-- 
Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
Network Technician     Consortium Library         (907) 786-6050 fax
tiborat_private       http://www.lib.uaa.alaska.edu/~tibor/
http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key

---------- Forwarded message ----------
Date: Mon, 12 Nov 2001 20:51:43 -0900 (AKST)
From: Mail Delivery System <MAILER-DAEMONat_private>
To: Postmaster <postmasterat_private>
Subject: Postfix SMTP server: errors from
    host.isp.com[xxx.xxx.xxx.xxx]

Transcript of session follows.

 Out: 220 asimov.lib.uaa.alaska.edu ESMTP Postfix
 In:  HELO tmusuquen
 Out: 250 asimov.lib.uaa.alaska.edu
 In:  RSET
 Out: 250 Ok
 In:  MAIL FROM: <>
 Out: 250 Ok
 In:  RCPT TO: <???+?0@?Q.?)~???/?$;>
 Out: 554 <   + 0@ Q. )~   / $;>: Recipient address rejected: Relay access
     denied

Session aborted, reason: lost connection




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: macdaddyat_private: "Re: Strange SMTP Garbage Flood"
Previous message: Nick FitzGerald: "Re: Possible DDos Network Creation with ssh crc exploit"
Next in thread: macdaddyat_private: "Re: Strange SMTP Garbage Flood"
Reply: macdaddyat_private: "Re: Strange SMTP Garbage Flood"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 17:56:40 PST