Hector Santos wrote:
Does anyone here know of a legitimate MTA, proxy/filter, IDS, or
similar critter that sends this verb before sending EHLO?
FCCKV2 zQUdwkgzYhu/noMgcNtA0wvhrV0T9SThL3koEfk=
A quick grep for FCCKV2 in our SMTP logs (for 2012) did not reveal any
such transaction attempt.
Thanks. I do think that if this was malware, someone else would have
noticed it by now.
A few interesting data points to look at is how the client is
responding to the 500 (or whatever 50x your server is using), time
wise. Was there a delay after your server issued the 50x? One way to
determine if this is a HTTP client dump on port 25 is whether it can
respond elegantly to the client/server state machine with rejection
responses at MAIL FROM, RCPT TO or DATA. Sometimes it looks like a
pipelining client when its just a http client/proxy dump on a public
port 25 server.
Nope, this was just a normal, complete, correct SMTP transaction, except
for the insertion of that extra command before the EHLO.
<csg>
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp