Spammers show up fast when you open up port 25 (at least sometimes)
As part of adding authenticated SMTP to our environment, we recently opened up outside access to port 25 (and port 587) to a machine that hadn't had them exposed before. You can probably guess what happened next: it took less than five hours before spammers were trying to rattle the doorknobs to see if they could get in.
(Literally. I changed our firewall to allow outside access around 11:40 am and the first outside attack attempt showed up at 3:35 pm.)
While I don't have SMTP command logs, Exim does log enough information
that I'm pretty sure that we got two sorts of spammers visiting.
The first sort definitely tried to do either an outright spam run
or a relay check, sending
MAIL FROMs with various addresses
(including things like 'postmaster@<our domain>'); all of these
failed since they hadn't authenticated first. The other sort of
spammer is a collection of machines that all EHLO as '
which is apparently a mass scanning system that attempts to brute
force your SMTP authentication. So far there is no sign that they've
succeeded on ours (or are even trying), and I don't know if they
even manage to start up a TLS session (a necessary prerequisite to
even being offered the chance to do SMTP authentication). These
people showed up second, but not by much; their first attempt was
at 4:04 pm.
(I have some indications that in fact they don't. On a machine that
I do have SMTP command logs on, I see
ylmf-pc people connect,
EHLO, and then immediately disconnect without trying STARTTLS.)
It turns out that Exim has some logging for this (the magic log string is '... authenticator failed for ...') and using that I can see that in fact the only people who have gotten far enough to actually try to authenticate are a few of our own users. Since our authenticated SMTP service is still in testing and hasn't been advertised, I suspect that some people are using MUAs (or other software) that simply try authenticated SMTP against their IMAP server just to see if it works.
There are two factors here that may mean this isn't what you'll see if you stand up just any server on a new IP, which is that this server has existed for some time with IMAP exposed (and under a well known DNS name at that, one that people would naturally try if they were looking for people's IMAP servers). It's possible that existing IMAP servers get poked far more frequently and intently than other random IPs.
(Certainly I don't see anything like this level of activity on other machines where I have exposed SMTP ports.)