HELO, MAIL FROM, QUIT is how spammers verify if they are blacklisted from
that machine, at the same time they also look at SMTP greeting header to
see which machine this is. This is also way of cleaning up their list
preparing for spamming, they want to make sure they are allowed in and not
blacklisted so before major event, they would verify their FROM address
and if it is not accepted, use different domain in from for that particular
mail server or different ip address as an origin. I suspect the 2nd part
(ip address) is more important, they are trying to subdivide large email
list among multiple relays and want best-hit ratio.
The above is my own conclusion and I'v no real proof of this. But I think
this helps to explain what is going on.
On Wed, 12 Mar 2003 Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Wed, 12 Mar 2003 15:12:41 MST, Vernon Schryver
<vjs(_at_)calcite(_dot_)rhyolite(_dot_)com> said:
We don't see a lot of that on our spamtrap actually. What we see
_vastly_ more of is "HELO/MAIL FROM/QUIT" same "MAIL FROM" all the time.
God knows why they're doing that.
What's wrong with the obvious explanation, that they're validating
target lists? The (equivalents to) VRFYs in my logs tend to be for
HELO
MAIL FROM
QUIT
No RCPT TO.
I've seen a few myself, and no idea why either.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg