Carl S. Gutekunst wrote:
Does anyone here know of a legitimate MTA, proxy/filter, IDS, or similar
critter that sends this verb before sending EHLO?
FCCKV2 zQUdwkgzYhu/noMgcNtA0wvhrV0T9SThL3koEfk=
I'm suspicious that it's a malware infection on the sender's host, but
before I start making accusations I wanted to check around. Various web
forums have also reported seeing this as an X-bar header line in HTTP
requests, without identifying what it was.
<csg>
A quick grep for FCCKV2 in our SMTP logs (for 2012) did not reveal any
such transaction attempt.
A few interesting data points to look at is how the client is
responding to the 500 (or whatever 50x your server is using), time
wise. Was there a delay after your server issued the 50x? One way to
determine if this is a HTTP client dump on port 25 is whether it can
respond elegantly to the client/server state machine with rejection
responses at MAIL FROM, RCPT TO or DATA. Sometimes it looks like a
pipelining client when its just a http client/proxy dump on a public
port 25 server.
--
HLS
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp