[anti-spam-wg] Semi-OT: XXXX SMTP command

From: Markus Stumpf maex-lists-spam-ripe-anti-spam@localhost
Date: Thu, 12 Jan 2006 18:54:44 +0100
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=nWId7U7r3+lhEogsN3xwLTYRlJMjH1QjPX0HRyn1oKVXNLGZkLcxKsy6uQmpLkse ;
Organization: SpaceNet AG, Muenchen, Germany

To reject open proxy servers injecting mail, I reject SMTP session in
which the first command is an unknown (POST) command:
    unknown:203.251.80.55 rejected: UNIMPL-EXPLOIT POST / HTTP/1.0
    mail.jcdecaux.co.th:203.152.43.65 rejected: UNIMPL-EXPLOIT POST / HTTP/1.0
    [ ... ]

Lately I see more and more hosts that send XXXX.
    mail.unitybuilders.com:64.56.132.4 rejected: UNIMPL-EXPLOIT XXXX mail.unitybuilders.com
    mail.ccgcorp.com:63.166.224.254 rejected: UNIMPL-EXPLOIT XXXX CCGEXCH.ccgcorp.com
    d560.a.ded.execulink.com:69.63.32.5 rejected: UNIMPL-EXPLOIT XXXX kmd.on.ca
    lsh001.lshosting.net:82.150.139.23 rejected: UNIMPL-EXPLOIT XXXX lsh001.lshosting.net

From the structure of the command I'd guess it is some filter/firewall
that maybe sees an EHLO, considers this a bad command and masks it with
"XXXX".

Anybody else seeing this or knows what fine piece of ^H^H^H^H^Hsoftware
is doing this?

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

Re: [anti-spam-wg] Semi-OT: XXXX SMTP command
- From: Ricardo Cerqueira
Re: [anti-spam-wg] Semi-OT: XXXX SMTP command
- From: Gert Doering
Re: [anti-spam-wg] Semi-OT: XXXX SMTP command
- From: der Mouse
Re: [anti-spam-wg] Semi-OT: XXXX SMTP command
- From: Emanuele Balla

<<< Chronological >>>

Author Subject

<<< Threads >>>