== An interesting recent spam run against one of my machines

A couple of days ago, the SMTP logs on one of my machines lit up with
a whole bunch of attempted inbound connections from all over the
world. The first striking thing about these connection attempts is
that they all seemed to be from people's home machines (what would
once have been called 'dialups' but now uses cable modems, DSL, and
various other technologies). Many of these machines were on the [[PBL
http://www.spamhaus.org/pbl/]] and a couple that I just checked now
are currently on the CBL.

The second striking thing is the interesting way that the spammer
behind this snatched defeat from the jaws of potential victory. A
few of these IP addresses actually got to talk to my SMTP daemon;
when they did, they all reacted like this:

.pn prewrap on
>  remote from [94.174.75.128]
>  HELO tvbtzzg.virginm.net
>  554 Unresolvable HELO name: tvbtzzg.virginm.net
> 
>  remote from [172.10.0.198]
>  HELO koridl.sbcglobal.net
>  554 Unresolvable HELO name: koridl.sbcglobal.net

That's right. The spammer's software carefully worked out what the
proper top level domain name was for the particular IP being used, put
it in the _HELO_, and then *made up a random hostname to go with it*.

Given my usual views that spammers are by and large not stupid and are
highly motived to do what works, I suspect that such _HELO_ names must
help their spam get through at least some spam filters (or, to put it
another way, that other _HELO_ names increase the risks of the spam
email being filtered out). That very small operations like mine can use
this to immediately reject their spam is presumably unimportant.

(I don't have any idea what would cause a spammer to think that my
particular machine was worth turning a corner of a botnet on, instead of
just using a compromised machine or two and then moving on. Perhaps it's
a very big botnet. It seems to have moved on now.)