Preface: SMTP Too many recipientsLogo -Internet Security Systems

SMTP Too many recipients
advICE :Intrusions : 2001007
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

The attacker is sending a single e-mail message with a large number of recipients.

Details

The SMTP command to send e-mail to someone is "RCPT TO:". Many of these can be specified for a single e-mail message. A hacker triggers this alert by sending large numbers of "RCPT TO:" commands to the e-mail server.

This could be a DoS (Denial of Service) attack. Many e-mail systems cannot handle too many recipients and can crash.

This could be a user account attack. A spammer could be looking for valid e-mail accounts. A typical example is by sending e-mail to all possible combinations, and any that aren't rejected are probably legitimate users.

This could be a spam relay attempt. The spammer sends one e-mail to your server with many recipients, which your server then sends individually to each person. Therefore, a spammer with a slow dial-up link can leech off of the the high-speed connection of your system. This also masks where the spammer is coming from.

 more information
advICE: spam countermeasures  
This section describes measures you can take against spammers.  
advICE: SMTP exploits  
The intruder could be scanning for an SMTP service they can exploit. This section describes the many ways that SMTP servers can be broken into.  
Bugtraq: SMTP server account probing  
 
BugtraqID: 748   Netscape Messaging Server RCPT TO DoS Vulnerability
A typical memory leak DoS attack.  

 configuration for this item
smtp.maxrcpt1000This intrusion detection is triggered if the number of recipients for a single email exceeds this count.

 
Version appeared:
Privacy Policy |  Copyright Info