XXXX SMTP command Question

Hi Everyone,

I'm seeing alot of SMTP command: XXXX. Is this used in spam distro? I did a packet capture and got this info

XXXX mail.ctcustomhomes.com

502 Command not implemented

HELO mail.ctcustomhomes.com

250 hello zzzzzzz.com

MAIL FROM:<>

250 ok

I guess I curious to know why it sent :
XXXX mail.ctcustomhomes.com and then re-sent the same command without the X's. What does the X's mean. In an effort to reduce spam I'm flagging the SMTP command:XXXX and MAIL FROM:<> (null from) on my Cisco IPS and trying to decide if I should block the traffic.

Thanks in advance

I have only ever seen things like this when a firewall in between the comms is altering the commands as its passing. Do you have any firewalls in between ? Some firewalls can cause some issues when you start to monitor or manipulate the SMTP traffic. Not sure if its still a problem but when you used to turn on the Pix SMTP Fixup, it did cause issues with SMTP traffic, even when they then released the ESMTP version of this to handle the newer Extended SMTP protocol command set. It also is used to block (or mask) SMTP Banners to try and stop people from finding out what e-mails systems are in use.

Thats all i can think really.

I do have a pix 515e, and I just verified that the fixup smtp is set to port 25. So it is possible that the Pix is receiving the packet and adding the X's, before forwarding it to the mail server?

thats right, you could try turning it off and see what happens. we had issues so turned it off.

Ahh that would explain this in my IPS event log "PIX MailGuard Substitution". Well now the goose chase is over. I was hoping to use the IPS to reduce spam but I'm not finding anything I could use to trigger a signature. I though I was on track with the X's and MAIL FROM:<>. Thanks for your help anyway.