All, This is a follow-on to the SASL knocking thread yesterday. I have an AWS relay attempt that tried to execute a pipeline command and I would like to try and decipher what appears to be shell-code (but it isn't). The journal captured the following attempt from an AWS IP: Nov 02 03:11:16 valkyrie dovecot[842]: imap-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=44.200.193.16, lip=192.168.6.14, TLS, session=<dZiS7iYJ+rksyMEQ> Nov 02 03:11:16 valkyrie postfix/smtpd[48294]: connect from ec2-44-200-193-16.compute-1.amazonaws.com[44.200.193.16] Nov 02 03:11:16 valkyrie postfix/smtpd[48294]: improper command pipelining after CONNECT from ec2-44-200-193-16.compute-1.amazonaws.com[44.200.193.16]: \026\003\001\000\352\001\000\000\346\003\003\220\344/J\037\342\365\271\277ZvW\023\205\242\260"\020:l6\361\033j\256U\030\334\326?7\234 \333\2111\270\3050\a\311i\2325\3302\244\366g\244\366\332\225\234uy\223{B\220\205\203\303\317\360\000&\300+\300/\300,\3000\314\251\314\250\300\t\300\023\300\n\300\024\000\234 Nov 02 03:11:16 valkyrie postfix/smtpd[48294]: warning: non-SMTP command from ec2-44-200-193-16.compute-1.amazonaws.com[44.200.193.16]: \023\001\023\002\023\003\001\000\000w\000\005\000\005\001\000\000\000\000\000 Nov 02 03:11:16 valkyrie postfix/smtpd[48294]: disconnect from ec2-44-200-193-16.compute-1.amazonaws.com[44.200.193.16] unknown=0/1 commands=0/1 The server did nothing with it and disconnected as it should, but how would I suss out what the command pipeline attempted was? It appears to be a string of octal digits until you hit /J and ZvW which doesn't make much sense. Any easy way to back out what the command was? -- David C. Rankin, J.D.,P.E.