yeah, ipv4 addresses are 32 bit values, but i'm pretty sure the form in the
helo string isn't
just an integer, signed or unsigned, it's a fully qualified domain name.
i should have also said: when i looked at it when this started they
appeared to be random values, and choosing random helo strings is a
common spammer trick from day 1.
unfortunately, legit senders using actual correct fqdns in helo strings
(rather than
something like "localhost") is by no means universal, as you discover
when the complaints start rolling in when you try to enforce this
using,
say postfix's check_helo_access.
as another side note, the SPFv1 spec appears to allow checking of the
spf record
corresponding to the helo string, if it's a fqdn.
(yet another oracle for spamming ips is the number of different helo
strings used
by a single IP address over a brief period of time, though it also
detects natted outgoing
mail gateways, rarely).
On Thu, Dec 29, 2005 at 08:10:14AM -0500, Mike Davis wrote:
> hehe, didnt even notice max untill i hit reply...
>
>
> the this be a screwy way to get some poor implementation of
> gethostbyname() (windows?) to interpret as an ip address? i vaguely
> recall an ie flaw a few years back doing something similar to disguise
> urls.. but i think they were removing dots like this:
>
> http://19216818/pornsite.html
>
> dont remember
> -phar
>
>
> On Thu, 2005-12-29 at 00:33 -0800, [EMAIL PROTECTED] wrote:
> > this has been going on for weeks.
> >
> > i believe they're all open proxies or spambots.
> >
> > (some of us use this as an oracle for open proxies.)
> >
> > On Wed, Dec 28, 2005 at 04:39:14PM -0500, max wrote:
> > > Hello all,
> > > I find this inmy logs throughout the day today:
> > >
> > > Dec 28 16:35:52 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from
> > > pcp0012209034pcs.blairblvd.tn.nash.comcast.net[69.245.57.210]: 501
> > > <-1217882552>: Helo command rejected: Invalid name; from=<[EMAIL
> > > PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<-1217882552>
> > >
> > > Notice that helo section is a negative number (which is why my postfix
> > > rejects the message)
> > > There are about 5 messages a minute at its peak, and this has been going
> > > on most of the day today (EST time zone)
> > > Some of the connecting IP's are listed in various black lists, such as
> > > OPM.
> > >
> > > Has anyone noticed this as well? Is this a virus or just some new spam
> > > tool?
> > > Some more rejected messages below:
> > >
> > > Dec 28 16:37:50 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from
> > > cpe-66-75-65-130.socal.res.rr.com[66.75.65.130]: 501 <-1218008120>: Helo
> > > command rejected: Invalid name; from=<[EMAIL PROTECTED]> to=<[EMAIL
> > > PROTECTED]> proto=SMTP helo=<-1218008120>
> > >
> > > Dec 28 16:37:54 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from
> > > unknown[219.130.49.89]: 554 Service unavailable; Client host
> > > [219.130.49.89] blocked using opm.blitzed.org; Open proxy - see
> > > http://opm.blitzed.org/219.130.49.89; from=<[EMAIL PROTECTED]> to=<[EMAIL
> > > PROTECTED]> proto=SMTP helo=<-1209697480>
> > >
> > > Dec 28 16:38:10 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from
> > > 194-144-9-218.du.xdsl.is[194.144.9.218]: 501 <-1209697480>: Helo command
> > > rejected: Invalid name; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
> > > proto=SMTP helo=<-1209697480>
> > >
> > > Thanks,
> > >
> > > Max
