On Tue, Nov 29, 2005 at 02:04:38PM -0500, Marc Sherman said:
> My logs show a number of SMTP protocol violations similar to this one:
>
> 2005-11-21 04:55:24 SMTP protocol violation: synchronization error
> (input sent without waiting for greeting): rejected connection from
> H=ns1.avs18.com[85.118.32.254] input="POST / HTTP/1.1\r\nHost:
> projectile.ca:25\r\nContent-Type:text/plain\r\nContent-Length:
> 891\r\nMax-Forwards: 10\r\nVia: 1.0 projectile.ca:25\r\n\r\nRSET\r\nHELO
> lab-"
>
> Does anyone know what the deal is with those? Is it some kind of
> exploit against a broken HTTP proxy server? If so, why is it hitting
> port 25 instead of port 80?
Somebody has managed to trick a proxy server into POST'ing their spam
to your.address:25 - a common way to make http proxies relay email.
Enforcing sync + a short delay at connect (2 or 3s) makes just about all of
these go away.
--
--------------------------------------------------------------------------
| Stephen Gran | To iterate is human, to recurse, |
| steve@??? | divine. -- Robert Heller |
| http://www.lobefin.net/~steve | |
--------------------------------------------------------------------------