Hello some more info on ip address conversion : http://www.pc-help.org/obscure.htm http://gregsearle.tripod.com/spam_tech.html
Web tool to do conversion : http://www.csgnetwork.com/ipaddconv.html for the reason about the negative number i dont have a clue, maybe a bug in their spam application ? Happy new year to SF members ! Maxime Ducharme ----- Original Message ----- From: "Paolo Scarabelli" <[EMAIL PROTECTED]> To: "Mike Davis" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; "max" <[EMAIL PROTECTED]>; <[email protected]> Sent: Thursday, December 29, 2005 9:49 PM Subject: Re: Strange SMTP sessions with 'helo=<large negative number>' syntax > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi there, > > I remember we were doing this in Singapore a few years back to reach > some of the website that were blocked by the provider's proxy, it was > just a matter of converting an IP number (which is a 4 bytes word) to > the equivalent 32 bit integer. > > Something like: > > black.box.sk => > 66.250.131.132 => > 0x42F48384 => > 1123320708 > > I don't know if it works on IE anymore, on Firefox and Konqueror it doesn't. > > > Regards, > > > Paolo. > > Mike Davis wrote: > > hehe, didnt even notice max untill i hit reply... > > > > > > the this be a screwy way to get some poor implementation of > > gethostbyname() (windows?) to interpret as an ip address? i vaguely > > recall an ie flaw a few years back doing something similar to disguise > > urls.. but i think they were removing dots like this: > > > > http://19216818/pornsite.html > > > > dont remember > > -phar > > > > > > On Thu, 2005-12-29 at 00:33 -0800, [EMAIL PROTECTED] wrote: > > > >>this has been going on for weeks. > >> > >>i believe they're all open proxies or spambots. > >> > >>(some of us use this as an oracle for open proxies.) > >> > >>On Wed, Dec 28, 2005 at 04:39:14PM -0500, max wrote: > >> > >>>Hello all, > >>>I find this inmy logs throughout the day today: > >>> > >>>Dec 28 16:35:52 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from pcp0012209034pcs.blairblvd.tn.nash.comcast.net[69.245.57.210]: 501 <-1217882552>: Helo command rejected: Invalid name; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<-1217882552> > >>> > >>>Notice that helo section is a negative number (which is why my postfix rejects the message) > >>>There are about 5 messages a minute at its peak, and this has been going on most of the day today (EST time zone) > >>>Some of the connecting IP's are listed in various black lists, such as OPM. > >>> > >>>Has anyone noticed this as well? Is this a virus or just some new spam tool? > >>>Some more rejected messages below: > >>> > >>>Dec 28 16:37:50 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from cpe-66-75-65-130.socal.res.rr.com[66.75.65.130]: 501 <-1218008120>: Helo command rejected: Invalid name; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<-1218008120> > >>> > >>>Dec 28 16:37:54 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from unknown[219.130.49.89]: 554 Service unavailable; Client host [219.130.49.89] blocked using opm.blitzed.org; Open proxy - see http://opm.blitzed.org/219.130.49.89; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<-1209697480> > >>> > >>>Dec 28 16:38:10 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from 194-144-9-218.du.xdsl.is[194.144.9.218]: 501 <-1209697480>: Helo command rejected: Invalid name; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<-1209697480> > >>> > >>>Thanks, > >>> > >>>Max > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFDtKAqqAaEpZvj+VMRAkVgAKCJ2qGHtRSC/k8azkfswBC+qfALDQCfZYEi > lajhPf57AheuEMKZ0UqmO4E= > =sBNt > -----END PGP SIGNATURE----- >
