- Posts: 34
- Thank you received: 0
XXXX SMTP command Question
- psiclonius
- Topic Author
- Offline
- Junior Member
Less
More
17 years 9 months ago #19738
by psiclonius
XXXX SMTP command Question was created by psiclonius
Hi Everyone,
I'm seeing alot of SMTP command: XXXX. Is this used in spam distro? I did a packet capture and got this info
XXXX mail.ctcustomhomes.com
502 Command not implemented
HELO mail.ctcustomhomes.com
250 hello zzzzzzz.com
MAIL FROM:<>
250 ok
I guess I curious to know why it sent :
XXXX mail.ctcustomhomes.com and then re-sent the same command without the X's. What does the X's mean. In an effort to reduce spam I'm flagging the SMTP command:XXXX and MAIL FROM:<> (null from) on my Cisco IPS and trying to decide if I should block the traffic.
Thanks in advance
I'm seeing alot of SMTP command: XXXX. Is this used in spam distro? I did a packet capture and got this info
XXXX mail.ctcustomhomes.com
502 Command not implemented
HELO mail.ctcustomhomes.com
250 hello zzzzzzz.com
MAIL FROM:<>
250 ok
I guess I curious to know why it sent :
XXXX mail.ctcustomhomes.com and then re-sent the same command without the X's. What does the X's mean. In an effort to reduce spam I'm flagging the SMTP command:XXXX and MAIL FROM:<> (null from) on my Cisco IPS and trying to decide if I should block the traffic.
Thanks in advance
17 years 9 months ago #19740
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: XXXX SMTP command Question
I have only ever seen things like this when a firewall in between the comms is altering the commands as its passing. Do you have any firewalls in between ? Some firewalls can cause some issues when you start to monitor or manipulate the SMTP traffic. Not sure if its still a problem but when you used to turn on the Pix SMTP Fixup, it did cause issues with SMTP traffic, even when they then released the ESMTP version of this to handle the newer Extended SMTP protocol command set. It also is used to block (or mask) SMTP Banners to try and stop people from finding out what e-mails systems are in use.
Thats all i can think really.
Thats all i can think really.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
- psiclonius
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 34
- Thank you received: 0
17 years 9 months ago #19741
by psiclonius
Replied by psiclonius on topic Re: XXXX SMTP command Question
I do have a pix 515e, and I just verified that the fixup smtp is set to port 25. So it is possible that the Pix is receiving the packet and adding the X's, before forwarding it to the mail server?
17 years 9 months ago #19742
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: XXXX SMTP command Question
thats right, you could try turning it off and see what happens. we had issues so turned it off.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
- psiclonius
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 34
- Thank you received: 0
17 years 9 months ago #19744
by psiclonius
Replied by psiclonius on topic Re: XXXX SMTP command Question
Ahh that would explain this in my IPS event log "PIX MailGuard Substitution". Well now the goose chase is over. I was hoping to use the IPS to reduce spam but I'm not finding anything I could use to trigger a signature. I though I was on track with the X's and MAIL FROM:<>. Thanks for your help anyway.
Time to create page: 0.130 seconds