[Top] [All Lists]

Re: [ietf-smtp] Help identifying unknown verb: FCCKV2

2012-10-02 09:57:15
Hector Santos wrote:
Does anyone here know of a legitimate MTA, proxy/filter, IDS, or similar critter that sends this verb before sending EHLO?

   FCCKV2 zQUdwkgzYhu/noMgcNtA0wvhrV0T9SThL3koEfk=

A quick grep for FCCKV2 in our SMTP logs (for 2012) did not reveal any such transaction attempt.

Thanks. I do think that if this was malware, someone else would have noticed it by now.

A few interesting data points to look at is how the client is responding to the 500 (or whatever 50x your server is using), time wise. Was there a delay after your server issued the 50x? One way to determine if this is a HTTP client dump on port 25 is whether it can respond elegantly to the client/server state machine with rejection responses at MAIL FROM, RCPT TO or DATA. Sometimes it looks like a pipelining client when its just a http client/proxy dump on a public port 25 server.

Nope, this was just a normal, complete, correct SMTP transaction, except for the insertion of that extra command before the EHLO.

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>