Some unusual SMTP activity from would-be spammers

October 28, 2012

For reasons beyond the scope of this entry, on some systems I watch SMTP logs in fair detail. One result of this is that every so often I see a burst of unusual SMTP activity (for example). Recently I saw a bunch of SMTP attempts over two days that looked like this:

24934#  remote from [165.228.246.237]
24934r  EHLO [192.168.2.33]
24934w  550 Unknown command 'EHLO'
24934r  MAIL FROM: <test@live.com>
24934w  503 Waiting for HELO command
24934r  QUIT

They came from a wide variety of sources but all did this identical sequence of commands (and all used the same EHLO greeting). One of the interesting things about this is that whatever is behind this shows some awareness of SMTP and is not just blindly sending commands; it notices that the MAIL FROM fails and QUITs, although it's not willing to try a HELO after the EHLO fails.

(Yes, I'm still running a SMTP server so old that it doesn't understand EHLO. This has interesting consequences sometimes.)

What's going on might have stayed a mystery but for another system here, which has less complete logs but accepts EHLO commands. Over the same two day period, its logs show a burst of attempts to relay from test@live.com to a Yahoo email address, all with this same EHLO. The obvious conclusion is that someone has fired up some large-scale software to look for open relays (relatively crude software at that, especially since it repeatedly probed the same machines).

(I don't think that this was an attempt to use us as an open relay; those usually try sending to a whole bunch of different remote addresses.)

All of this makes me wonder how many open relays there still are out there in the world. My impression used to be that open relays had gone away years ago, but perhaps it's just that the noise of spam from open relays was drowned out by the noise of spam from other sources. After all, the Internet is no longer a place where most of the machines on it are servers.

Written on 28 October 2012.
« The difference between cryptographic and normal random number generators
How ZFS file prefetching seems to work »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 28 01:22:37 2012
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.