[anti-spam-wg] Semi-OT: XXXX SMTP command
-
From: Markus Stumpf maex-lists-spam-ripe-anti-spam@localhost
-
Date: Thu, 12 Jan 2006 18:54:44 +0100
-
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
-
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=nWId7U7r3+lhEogsN3xwLTYRlJMjH1QjPX0HRyn1oKVXNLGZkLcxKsy6uQmpLkse ;
-
Organization: SpaceNet AG, Muenchen, Germany
To reject open proxy servers injecting mail, I reject SMTP session in
which the first command is an unknown (POST) command:
unknown:203.251.80.55 rejected: UNIMPL-EXPLOIT POST / HTTP/1.0
mail.jcdecaux.co.th:203.152.43.65 rejected: UNIMPL-EXPLOIT POST / HTTP/1.0
[ ... ]
Lately I see more and more hosts that send XXXX.
mail.unitybuilders.com:64.56.132.4 rejected: UNIMPL-EXPLOIT XXXX mail.unitybuilders.com
mail.ccgcorp.com:63.166.224.254 rejected: UNIMPL-EXPLOIT XXXX CCGEXCH.ccgcorp.com
d560.a.ded.execulink.com:69.63.32.5 rejected: UNIMPL-EXPLOIT XXXX kmd.on.ca
lsh001.lshosting.net:82.150.139.23 rejected: UNIMPL-EXPLOIT XXXX lsh001.lshosting.net
From the structure of the command I'd guess it is some filter/firewall
that maybe sees an EHLO, considers this a bad command and masks it with
"XXXX".
Anybody else seeing this or knows what fine piece of ^H^H^H^H^Hsoftware
is doing this?
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
