== Getting to watch a significant spam campaign recently One of the interesting side effects of running [[a sinkhole SMTP server https://github.com/siebenmann/sinksmtp/]] and occasionally looking at the SMTP command logs is that every so often I get to see the signs of what is clearly a significant spam campaign. Recently, for example, I noticed a whole pile of delivery attempts that all had a distinct signature, sufficiently distinct that I'm pretty sure they must have been from the same software and party. The primary signature was an unusual _MAIL FROM_, where it was the same as the _RCPT TO_. A typical session looked like: .pn prewrap on > EHLO host11.190-230-18.telecom.net.ar > 250 [...] > MAIL From: > 550 [...] > RCPT To: > 503 Out of sequence command (My server advertises _PIPELINING_, so this run-ahead behavior by the client is legitimate. Not all of the connections did it, so I can't be entirely sure that they were going to _RCPT TO_ the same address. It's a good bet, though; spammers seem to almost never attempt a _MAIL FROM_ of my own domain.) Almost all of the hosts that I saw do this were in the [[PBL https://www.spamhaus.org/pbl/]], the [[XBL https://www.spamhaus.org/xbl/]], or the [[CSS https://www.spamhaus.org/css/]]. Hosts _EHLO_'d with either their reverse DNS or with eg '_[39.112.245.8]_' when they had no rDNS (although not all of the names had forward DNS to go with their rDNS). While this was happening, I often saw a significant number of these connections one after another from all sorts of different IPs. A few messages of this sort got all the way to _DATA_ and so had their contents logged. Based on that, the campaign seems to have been pushing an offshore pharmacy hosted on an IP that [[Spamhaus lists https://www.spamhaus.org/sbl/query/SBL279717]] as part of 'Yambo Financials' aka 'RxMed pharma spam website hosting' (although the domain name used in the spam is not one that's currently in the SBL listing). That doesn't really surprise me, as I'd expect such a spam campaign to come from one of the larger operations. There are probably spam campaigns running all the time that my (now) spamtraps get hit by. It's just that usually they don't stand out this much, either by having a distinctive and unusual signature or by hammering on my addresses quite this hard. The latter puzzles me a bit, since it seems inefficient (and [[I do believe that spammers are generally efficient SpamAttemptsAndWaste]]).