[Top] [All Lists]

Re: [ietf-smtp] Help identifying unknown verb: FCCKV2

2012-09-28 17:07:15

--On Friday, September 28, 2012 14:26 -0700 "Carl S. Gutekunst"
<csg(_at_)alameth(_dot_)org> wrote:

Does anyone here know of a legitimate MTA, proxy/filter, IDS,
or similar critter that sends this verb before sending EHLO?

    FCCKV2 zQUdwkgzYhu/noMgcNtA0wvhrV0T9SThL3koEfk=

I'm suspicious that it's a malware infection on the sender's
host, but before I start making accusations I wanted to check
around. Various web forums have also reported seeing this as
an X-bar header line in HTTP requests, without identifying
what it was.

I don't know what your definition of "legitimate" is, but I
think 5321 and all of its predecessors are pretty clear that any
verb sent before EHLO or HELO other than VRFY or EXPN is not
"legitimate".   So any MTA, etc., that uses such a verb isn't

That said, it looks like it I would expect some flavor of magic
cookie (possibly even a message/transaction hash or signature)
that might be used in an "offer the right handshake and get the
right response to it or I won't allow a connection" transaction.
There are obviously better (or at least more standard) ways to
do that in today's Internet, starting with SASL or SMTP
AUTH-based sending host authentication, but that might not stop
someone from trying.  In particular, if the enemy is a spammer,
protection (if not security) by sufficient obscurity can
actually be a good medium-term tool.


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>