EHLO ylmf-pc' plague of SMTP authentication guessers
If you run a mail server on the Internet and look at your logs, you may
have noticed a lot of connections from machines that
EHLO with the
ylmf-pc. There are many pages about this on the web, and the
general consensus is that this is some sort of long standing brute force
SMTP authentication guessing botnet or piece of software. Whatever it
is, it's quite annoying and may also be unevenly distributed in action.
I can't say with any confidence what it is, because it also seems
to be pretty dumb and limited. Our new authenticated SMTP server doesn't offer authentication
STARTTLS, but it will afterwards. This can't be an
uncommon configuration, yet I see a whole plague of
machines connecting to it and then immediately disconnecting without
trying anything more (and in particular without
as if they connect, examine the
EHLO response, see no authentication
advertised, and then immediately disconnect.
Of course, that's when the real annoyance comes in; these machines aren't content with doing this just once. Oh no. A ylmf-pc machine will do this same connect, EHLO, then disconnect cycle over and over and over again, very fast. Our logs typically show multiple connects and disconnects a second. We have firewall connection limiters that cut in to temporarily block these IPs, but otherwise a ylmf-pc machine will also keep doing this for quite a while. This creates quite a bunch of log spam, even with the firewall blocking IPs for us.
I was going to confidently say that the ylmf-pc plague hits some of our machines much more than other ones and speculate about why, but it turns out that I can't; our inbound MX gateway doesn't even log machines that do this connect then disconnect game, so I can't tell whether or not the ylmf-pc brigade is ignoring them. They do seem to do at least a little bit of scanning of the Internet in general, but they also seem much more concentrated on machines with MX entries and machines with suggestive DNS names (such names seem to cause spammers to show up fast, although I haven't tried a scientific test of this).
(This is apparently the signature of a botnet called 'PushDo' or 'Cutwail', per this stackoverflow question and answer (also). The oldest mention I can find in my own logs is November of 2013, but it looks like this pattern may go back to 2012 and possibly earlier.)