Skip to main content

XXXX SMTP command Question

More
17 years 8 months ago #19738 by psiclonius
Hi Everyone,

I'm seeing alot of SMTP command: XXXX. Is this used in spam distro? I did a packet capture and got this info

XXXX mail.ctcustomhomes.com

502 Command not implemented

HELO mail.ctcustomhomes.com

250 hello zzzzzzz.com

MAIL FROM:<>

250 ok

I guess I curious to know why it sent :
XXXX mail.ctcustomhomes.com and then re-sent the same command without the X's. What does the X's mean. In an effort to reduce spam I'm flagging the SMTP command:XXXX and MAIL FROM:<> (null from) on my Cisco IPS and trying to decide if I should block the traffic.

Thanks in advance
More
17 years 8 months ago #19740 by Smurf
I have only ever seen things like this when a firewall in between the comms is altering the commands as its passing. Do you have any firewalls in between ? Some firewalls can cause some issues when you start to monitor or manipulate the SMTP traffic. Not sure if its still a problem but when you used to turn on the Pix SMTP Fixup, it did cause issues with SMTP traffic, even when they then released the ESMTP version of this to handle the newer Extended SMTP protocol command set. It also is used to block (or mask) SMTP Banners to try and stop people from finding out what e-mails systems are in use.

Thats all i can think really.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 8 months ago #19741 by psiclonius
I do have a pix 515e, and I just verified that the fixup smtp is set to port 25. So it is possible that the Pix is receiving the packet and adding the X's, before forwarding it to the mail server?
More
17 years 8 months ago #19742 by Smurf
thats right, you could try turning it off and see what happens. we had issues so turned it off.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 8 months ago #19744 by psiclonius
Ahh that would explain this in my IPS event log "PIX MailGuard Substitution". Well now the goose chase is over. I was hoping to use the IPS to reduce spam but I'm not finding anything I could use to trigger a signature. I though I was on track with the X's and MAIL FROM:<>. Thanks for your help anyway.
Time to create page: 0.134 seconds