-*- Joao Gouveia <tharbadat_private> [ 2002-12-18 15:51 ]: > Hello list, > > Is anyone aware of some kind of IRC worm that uses SMTP servers to act > as a spy client or something like that? > While taking a look on a IDS log of a client, I saw several alerts that > were triggered and classified as "IRC traffic" directed to a SMTP server > on port 25. Nothing odd about that at a first glance, as it could be > just a simple copy/paste of a IRC log sent via mail. But on this > particular situation ( that is causing hundreds of alerts/day ), the > format of the mail is everything but "normal". > Here is a sample (IRC user data changed): > <quote> > HELO x4i8x4 > RSET > MAIL FROM: <> > RCPT TO: <mask!__at_private PRIVMSG #channel :LOL> > </quote> > > Obviously the server is responding with a "501 5.5.4 Invalid Address". > Not that i consider this a serious issue ( from the server side of > course ), but I'm curious on what's causing this behaviour. > > Sorry if this is a well known issue, but i've done a some what limited > search and came up with nothing that applies. IIRC, this was very common when Hybris was at it's best. It catpures snippets from IRC traffic on a client computer, interprets it as an email address and tries to send mail to that "address". -- Regards, Tolli tolliat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 11:28:58 PST