Some unusual SMTP activity from would-be spammers
October 28, 2012
For reasons beyond the scope of this entry, on some systems I watch SMTP logs in fair detail. One result of this is that every so often I see a burst of unusual SMTP activity (for example). Recently I saw a bunch of SMTP attempts over two days that looked like this:
24934# remote from [184.108.40.206] 24934r EHLO [192.168.2.33] 24934w 550 Unknown command 'EHLO' 24934r MAIL FROM: <email@example.com> 24934w 503 Waiting for HELO command 24934r QUIT
They came from a wide variety of sources but all did this identical
sequence of commands (and all used the same
(Yes, I'm still running a SMTP server so old that it doesn't understand
What's going on might have stayed a mystery but for another system here,
which has less complete logs but accepts
(I don't think that this was an attempt to use us as an open relay; those usually try sending to a whole bunch of different remote addresses.)
All of this makes me wonder how many open relays there still are out there in the world. My impression used to be that open relays had gone away years ago, but perhaps it's just that the noise of spam from open relays was drowned out by the noise of spam from other sources. After all, the Internet is no longer a place where most of the machines on it are servers.
* * *
Atom feeds are available; see the bottom of most pages.