Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Email attack

Re: Email attack

From: Greg A. Woods <woods_at_weird.com>
Date: Mon, 5 Feb 2001 13:41:11 -0500

[ On Monday, February 5, 2001 at 12:33:15 (-0500), Kee Hinckley wrote: ]
> Subject: Email attack
>
> I assume this is specific to somewhere.com--we seem to attract this
> kind of thing.
>
> 2001-02-01
> We were under email attack (a message a second) addressed to
> somebody_at_somewhere.com (a non-existent address). The attack went on
> for several hours until I finally blocked the two sending machines at
> my router.

This may not have been an "attack" per se.

Some mailers (and I use that term very lightly because I'm intending to
include all spam-ware in its definition) are extremely broken and will
continue to try to deliver to a destination despite receiving immediate
5xx SMTP responses that "MUST" always cause an immediate bounce. I've
received hundreds of connections per minute from even the likes of
Netscape's mail server (though an ancient version of Apple's mailserver
for MacOS was the most broken I ever encountered as it didn't even back
down after an hour or so and then wait for another queue run -- it just
kept spewing! Luckly that bug's been fixed in newer versions). Lsoft's
NT mailer is the most recent culprit for disobeying SMTP response codes
and unfortunately it's author will listen to neither logic, insults, nor
threats! :-)

I can't reach the first machine you mentioned at the moment so perhaps
whatever's wrong with it is being addressed (or it's crashed! :-)....

The second machine answers with responses that don't give me quite
enough information to identify it (and clearly show that it's already in
violation of RFC-821 right from the first greeting it sends), and given
what it does do I wouldn't be at all surprised that it could be
responsible for the connection "attack" you witnessed. Here's what I
see:

        $ telnet 193.219.211.9 25
        Trying 193.219.211.9...
        Connected to mx.nkm.lt.
        Escape character is '^]'.
        220 ESMTP
        HELP
        214 try reading large books about smtp
        DEBUG
        502 I don't know such command... and I do not care.
        VERB
        502 I don't know such command... and I do not care.
        RCPT TO:<postmaster>
        503 MAIL first (#5.5.1)
        HELO foo
        250
        RCPT TO:<postmaster>
        503 MAIL first (#5.5.1)
        MAIL FROM:<>
        250 yeah rulez
        RCPT TO:<postmaster>
        250 cool, I like it.
        quit
        221
        Connection closed by foreign host. 

--
							Greg A. Woods
+1 416 218-0098      VE3TCP      <gwoods_at_acm.org>      <robohack!woods>
Planix, Inc. <woods_at_planix.com>; Secrets of the Weird <woods_at_weird.com>
Received on Feb 05 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos