[Full-disclosure] Funny smtp helo in the logs
trains at doctorunix.com
trains at doctorunix.com
Sun Oct 30 13:09:23 GMT 2005
Quoting Aditya Deshmukh <aditya.deshmukh at online.gateway.strangled.net>:
> I have been seeing this in my logs over all the public smtp server, from
> all over the net.
>
> Anyone know what sends these kinds of helo ?
>
> 124 09/10/2005 09:54:35 HELO -1209283632 ---> 250 my.smtp.domain.server
> 125 09/10/2005 09:55:27 HELO -1209747464 ---> 250 my.smtp.domain.server
<snip>
> 02D 29/10/2005 20:39:12 HELO -1208865784 ---> 250 my.smtp.domain.server
> 017 30/10/2005 11:21:26 HELO -1216191992 ---> 250 my.smtp.domain.server
they look like ip addresses to me (1216191992 => 72.125.157.248 ). I
checked a few and they weren't smpt listeners. I would go for the
possibility that your mail server is being used as part of a reporting
mechanism to notify the mother ship of vulnerable or infected IP
addresses.
-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services at doctorunix.com
Full-Disclosure is hosted and sponsored by Secunia.