I'm seeing alot of SMTP command: XXXX. Is this used in spam distro? I did a packet capture and got this info
502 Command not implemented
250 hello zzzzzzz.com
I guess I curious to know why it sent :
XXXX mail.ctcustomhomes.com and then re-sent the same command without the X's. What does the X's mean. In an effort to reduce spam I'm flagging the SMTP command:XXXX and MAIL FROM:<> (null from) on my Cisco IPS and trying to decide if I should block the traffic.
Thanks in advance
Re: XXXX SMTP command Question
11 years 11 months ago #19740
I have only ever seen things like this when a firewall in between the comms is altering the commands as its passing. Do you have any firewalls in between ? Some firewalls can cause some issues when you start to monitor or manipulate the SMTP traffic. Not sure if its still a problem but when you used to turn on the Pix SMTP Fixup, it did cause issues with SMTP traffic, even when they then released the ESMTP version of this to handle the newer Extended SMTP protocol command set. It also is used to block (or mask) SMTP Banners to try and stop people from finding out what e-mails systems are in use.
Ahh that would explain this in my IPS event log "PIX MailGuard Substitution". Well now the goose chase is over. I was hoping to use the IPS to reduce spam but I'm not finding anything I could use to trigger a signature. I though I was on track with the X's and MAIL FROM:<>. Thanks for your help anyway.