[Top] [All Lists]

Re: [ietf-smtp] Help identifying unknown verb: FCCKV2

2012-10-01 10:55:08
Carl S. Gutekunst wrote:
Does anyone here know of a legitimate MTA, proxy/filter, IDS, or similar critter that sends this verb before sending EHLO?

   FCCKV2 zQUdwkgzYhu/noMgcNtA0wvhrV0T9SThL3koEfk=

I'm suspicious that it's a malware infection on the sender's host, but before I start making accusations I wanted to check around. Various web forums have also reported seeing this as an X-bar header line in HTTP requests, without identifying what it was.


A quick grep for FCCKV2 in our SMTP logs (for 2012) did not reveal any such transaction attempt.

A few interesting data points to look at is how the client is responding to the 500 (or whatever 50x your server is using), time wise. Was there a delay after your server issued the 50x? One way to determine if this is a HTTP client dump on port 25 is whether it can respond elegantly to the client/server state machine with rejection responses at MAIL FROM, RCPT TO or DATA. Sometimes it looks like a pipelining client when its just a http client/proxy dump on a public port 25 server.


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>