Randall Shaw writes:
I am seeing a few too many of "502 ESMTP command error" in the log reports each night (logwatch). Here are but a few examples:"502 ESMTP command error",cmd: CELLPADDING=4><TR><TD colspan=2 align=center bgcolor=#C0C0FF><FONT FACE=arial><B><A : 8 Time(s) "502 ESMTP command error",cmd: CONTENT-LENGTH: 4805: 16 Time(s) "502 ESMTP command error",cmd: DATA: 697 Time(s) "502 ESMTP command error",cmd: RCPT TO:<[EMAIL PROTECTED]>: 20 Time(s) They span from all sorts of html garbage (obvious spam), to actual commands that appear VALID (DATA: RCPT TO: HOST: SENDER:). My question is... Should I be alarmed?
No. You should be happy, actually.
Is esmtpd doing something bad that
causes all these? Is it because esmtpd denies them relay, but they still
spew forth data and esmtpd goes "WTF?!"...
A spammer has hacked some open web proxy (whose IP address you've logged, by the way) administered by some moron who has no clue about system security, and is trying to use the proxy to spam. The proxy receives what it thinks is an HTTP request, which it tries to forward to the target "web site". The spammer puts an SMTP dialog in the payload. The spammer's http request looks something like this: POST mail.example.com:25 HTTP/1.0 Content-Length: 8923 EHLO mail.hotmail.com MAIL FROM:<[EMAIL PROTECTED]> RCPT TO:<[EMAIL PROTECTED]> DATA From: Hot Suzie <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Fr33 pR0n w38cAm <html> <body> … The proxy then turns around and connects to your port 25 and tries to dump all of the above, as a single blob. This trick is designed to work with sendmail, or perhaps some NT-based garbage, that quickly ignores the initial http header garbage, as errors, then mindlessly processes the rest of the input, one line at a time. Sadly, this trick won't work with Courier, which expects everyone who connects to be a proper SMTP client, that waits for a reply from EHLO, and each subsequent command (taking into account ESMTP PIPELINING), before sending the next command. If whoever connects sends some glop of garbage, without waiting for a response, it gets flushed. So, the initial set of SMTP commands gets flushed down the toilet, and if there's anything left, which by this time gives you somewhere within the HTML payload, it gets logged as additional errors, with tarpitting making sure the whole process goes sloooowly.
pgpk7WytkCOX7.pgp
Description: PGP signature
