non-SMTP command from unknown from bot nets

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

non-SMTP command from unknown from bot nets

Robert Schetterer
Hi,
since yesterday i got tons of like

warning: non-SMTP command from unknown[......: Return-path: <>

from bots, anyone which has equal stuff ?

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: non-SMTP command from unknown from bot nets

mouss-2
Robert Schetterer wrote:
> Hi,
> since yesterday i got tons of like
>
> warning: non-SMTP command from unknown[......: Return-path: <>
>

is there a reason why you hide "extenranl" information?

> from bots, anyone which has equal stuff ?
>


if what you see is http commands, then yes, bots try open proxies.

Reply | Threaded
Open this post in threaded view
|

Re: non-SMTP command from unknown from bot nets

Wietse Venema
In reply to this post by Robert Schetterer
Robert Schetterer:
> Hi,
> since yesterday i got tons of like
>
> warning: non-SMTP command from unknown[......: Return-path: <>
>
> from bots, anyone which has equal stuff ?

I have such connections every now and then. This is why Postfix
gives special treatment to commands that look like mail headers.
The header names are not configurable, since they are never
valid as SMTP commands.

As noted by mouss, Postfix also looks for common HTTP commands.
These are listed with the "smtpd_forbidden_commands" parameter.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: non-SMTP command from unknown from bot nets

Robert Schetterer
In reply to this post by mouss-2
Hi Mouss,

mouss schrieb:
> Robert Schetterer wrote:
>> Hi,
>> since yesterday i got tons of like
>>
>> warning: non-SMTP command from unknown[......: Return-path: <>
>>
>
> is there a reason why you hide "extenranl" information?

no nothing special, but this information would lead to nothing,
the ips are from well known ( to me) bot net networks

>
>> from bots, anyone which has equal stuff ?
>>
>
>
> if what you see is http commands, then yes, bots try open proxies.
>
ok, i thought like this, i only was suprised that their rate rised
in short time

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: non-SMTP command from unknown from bot nets

Robert Schetterer
In reply to this post by Wietse Venema
Wietse Venema schrieb:

> Robert Schetterer:
>> Hi,
>> since yesterday i got tons of like
>>
>> warning: non-SMTP command from unknown[......: Return-path: <>
>>
>> from bots, anyone which has equal stuff ?
>
> I have such connections every now and then. This is why Postfix
> gives special treatment to commands that look like mail headers.
> The header names are not configurable, since they are never
> valid as SMTP commands.
>
> As noted by mouss, Postfix also looks for common HTTP commands.
> These are listed with the "smtpd_forbidden_commands" parameter.
>
> Wietse

Hi Wietse, as i allready wrote to mouss,
i only wanted to know if the rate of them
rised in other setups too, since yesterday,
guess it relates to widely sql injection asp stuff
spreading


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: non-SMTP command from unknown from bot nets

mouss-2
In reply to this post by Robert Schetterer
Robert Schetterer wrote:

> Hi Mouss,
>
> mouss schrieb:
>> Robert Schetterer wrote:
>>> Hi,
>>> since yesterday i got tons of like
>>>
>>> warning: non-SMTP command from unknown[......: Return-path: <>
>>>
>>
>> is there a reason why you hide "extenranl" information?
>
> no nothing special, but this information would lead to nothing,
> the ips are from well known ( to me) bot net networks

I was not about the IPs, but about the actual commands.


>
>>
>>> from bots, anyone which has equal stuff ?
>>>
>>
>>
>> if what you see is http commands, then yes, bots try open proxies.
>>
> ok, i thought like this, i only was suprised that their rate rised
> in short time
>

Not seeing a lot here, and as you guess, I won't complain :)

Reply | Threaded
Open this post in threaded view
|

Re: non-SMTP command from unknown from bot nets

Wietse Venema
In reply to this post by Robert Schetterer
Robert Schetterer:
> > if what you see is http commands, then yes, bots try open proxies.
> >
> ok, i thought like this, i only was suprised that their rate rised
> in short time

No rise here. I suppose they have discovered you.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: non-SMTP command from unknown from bot nets

Robert Schetterer
Wietse Venema schrieb:
> Robert Schetterer:
>>> if what you see is http commands, then yes, bots try open proxies.
>>>
>> ok, i thought like this, i only was suprised that their rate rised
>> in short time
>
> No rise here. I suppose they have discovered you.
>
> Wietse

Jep , this domain always gets every new spams
early *g , if we we ever
stop using it, it would be a great honeypot

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria