Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: XXXX SMTP command Question

XXXX SMTP command Question 9 years 9 months ago #19738

  • psiclonius
  • psiclonius's Avatar
  • Offline
  • Frequent Member
  • Posts: 34
  • Karma: 0
Hi Everyone,

I'm seeing alot of SMTP command: XXXX. Is this used in spam distro? I did a packet capture and got this info

XXXX mail.ctcustomhomes.com

502 Command not implemented

HELO mail.ctcustomhomes.com

250 hello zzzzzzz.com

MAIL FROM:<>

250 ok

I guess I curious to know why it sent :
XXXX mail.ctcustomhomes.com and then re-sent the same command without the X's. What does the X's mean. In an effort to reduce spam I'm flagging the SMTP command:XXXX and MAIL FROM:<> (null from) on my Cisco IPS and trying to decide if I should block the traffic.

Thanks in advance
The administrator has disabled public write access.

Re: XXXX SMTP command Question 9 years 9 months ago #19740

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I have only ever seen things like this when a firewall in between the comms is altering the commands as its passing. Do you have any firewalls in between ? Some firewalls can cause some issues when you start to monitor or manipulate the SMTP traffic. Not sure if its still a problem but when you used to turn on the Pix SMTP Fixup, it did cause issues with SMTP traffic, even when they then released the ESMTP version of this to handle the newer Extended SMTP protocol command set. It also is used to block (or mask) SMTP Banners to try and stop people from finding out what e-mails systems are in use.

Thats all i can think really.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: XXXX SMTP command Question 9 years 9 months ago #19741

  • psiclonius
  • psiclonius's Avatar
  • Offline
  • Frequent Member
  • Posts: 34
  • Karma: 0
I do have a pix 515e, and I just verified that the fixup smtp is set to port 25. So it is possible that the Pix is receiving the packet and adding the X's, before forwarding it to the mail server?
The administrator has disabled public write access.

Re: XXXX SMTP command Question 9 years 9 months ago #19742

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
thats right, you could try turning it off and see what happens. we had issues so turned it off.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: XXXX SMTP command Question 9 years 9 months ago #19744

  • psiclonius
  • psiclonius's Avatar
  • Offline
  • Frequent Member
  • Posts: 34
  • Karma: 0
Ahh that would explain this in my IPS event log "PIX MailGuard Substitution". Well now the goose chase is over. I was hoping to use the IPS to reduce spam but I'm not finding anything I could use to trigger a signature. I though I was on track with the X's and MAIL FROM:<>. Thanks for your help anyway.
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup