Some unusual SMTP activity from would-be spammers
For reasons beyond the scope of this entry, on some systems I watch SMTP logs in fair detail. One result of this is that every so often I see a burst of unusual SMTP activity (for example). Recently I saw a bunch of SMTP attempts over two days that looked like this:
24934# remote from [188.8.131.52] 24934r EHLO [192.168.2.33] 24934w 550 Unknown command 'EHLO' 24934r MAIL FROM: <firstname.lastname@example.org> 24934w 503 Waiting for HELO command 24934r QUIT
They came from a wide variety of sources but all did this identical
sequence of commands (and all used the same
EHLO greeting). One of the
interesting things about this is that whatever is behind this shows some
awareness of SMTP and is not just blindly sending commands; it notices
MAIL FROM fails and
QUITs, although it's not willing to try
HELO after the
(Yes, I'm still running a SMTP server so old that it doesn't understand
EHLO. This has interesting consequences sometimes.)
What's going on might have stayed a mystery but for another system here,
which has less complete logs but accepts
EHLO commands. Over the
same two day period, its logs show a burst of attempts to relay from
email@example.com to a Yahoo email address, all with this same
The obvious conclusion is that someone has fired up some large-scale
software to look for open relays (relatively crude software at that,
especially since it repeatedly probed the same machines).
(I don't think that this was an attempt to use us as an open relay; those usually try sending to a whole bunch of different remote addresses.)
All of this makes me wonder how many open relays there still are out there in the world. My impression used to be that open relays had gone away years ago, but perhaps it's just that the noise of spam from open relays was drowned out by the noise of spam from other sources. After all, the Internet is no longer a place where most of the machines on it are servers.
Comments on this page:Written on 28 October 2012.