From: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
We don't see a lot of that on our spamtrap actually. What we see
_vastly_ more of is "HELO/MAIL FROM/QUIT" same "MAIL FROM" all the time.
God knows why they're doing that.
What's wrong with the obvious explanation, that they're validating
target lists? The (equivalents to) VRFYs in my logs tend to be for
HELO
MAIL FROM
QUIT
No RCPT TO.
I've seen a few myself, and no idea why either.
Oh, I've seen those mysteries. I thought Chris Lewis's note
lacked RCPT_To as a typo.
Could those be efforts to check for IP address or sender domain
blacklists? They wouldn't work for that if the target does something
like the typical sendmail "delay checks" business.
I'll raise the betting with complete SMTP transactions that land in
my traps with a body consisting of only "QUIT" and not to mailing list
control addresses but to dictionary attack names such as
black(_at_)calcite(_dot_)rhyolite(_dot_)com(_dot_) They're not common enough
to be ordinary
VRFY efforts.
Then there are the relay attempts that consist entrely of Hipcrime
style word lists.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg