[Dshield] FW: BASE Incident Report

Golden_Eternity bswopes at bhodisoft.com
Mon Jun 6 22:00:24 GMT 2005


tfischer at oldenburggroup.com wrote:
>    Could someone please help me understand what I am looking at here? I
> caught this on my external snort sensor. What bothers me the most are lines
> 320-360. Thanks for any help.   

Well, the bottom part looks like a capture of what happens if you telnet
to carrotpatch.net and type 'ehlo lists.carrotpatch.net'... Possibly
part of a bounce message transcript.

The packet looks something like this:

ress: gonzales at carrotpatch.net

--- Session Transcript ---

 Parsing Message <e:\mdaemon\gateways\carrotpatch.net\pd50000361449.msg>

 From: fox at northernnavigation.com
 To: gonzales at carrotpatch.net
 Subject: Call from Canada for RX
 Message-ID:
 MX-record resolution of [carrotpatch.net] in progress (DNS Server:
198.70.36.70)
 P=020 D=carrotpatch.net TTL=(42) MX=[listserver.carrotpatch
net] {209.43.47.126}
 Ignoring irrelevant RR, listserver.carrotpatch.net P=020
 P=010 D=carrotpatch.net TTL=(42) MX=[frb.carrotpatch.net] {12.202.193.90}
 P=010 D=carrotpatch.net TTL=(42) MX=[carrotpatch.net] {12.202.193.90}
 Attempting MX: P=010 D=carrotpatch.net TTL=(42) MX=[carrotpatch.net]
12.202.193.90}
 Attempting SMTP connection to [12.202.193.90 : 25]
 Waiting for socket connection
 Socket connection established (209.43.47.126 : 4359 -> 12.202.193.90 : 25)
 Waiting for protocol initiation
 <-- 220 frb.carrotpatch.net Microsoft ESMTP MAIL Service, Version:
6.0.3790.211 ready at  Sun, 5 Jun 2005 01:29:05 -0500
 --> EHLO lists.carrotpatch.net
 <-- 250-frb.carrotpatch.net Hello [206.246.140.28]
 <-- 250-TURN
 <-- 250-SIZE
 <-- 250-ETRN
 <-- 250-PIPELINING
 <-- 250-DSN
 <-- 250-ENHANCEDSTATUSCODES
 <-- 250-8bitmime
 <-- 250-BINARYMIME
 <-- 250-CHUNKING
 <-- 250-VRFY
 <-- 250-X-EXPS GSSAPI NTLM LOGIN
 <-- 250-X-EXPS=LOGIN
 <-- 250-AUTH GSSAPI NTLM LOGIN
 <-- 250-AUTH=LOGIN
 <-- 250-X-LINK2STATE
 <-- 250-XEX




More information about the list mailing list