Bill Thorson wrote:
ASRG Group,
I've been working on smtp server software and have
noticed something very strange. We seem to have many
connections made, mostly at night, who connect to
port 25 and then disconnect right after the
220 Server Ready message. I was believing that I
had a bug in my software but now I am wondering if
this is a bot of some type. Do spammers run bots
to search for and create lists of mail servers to
attack? Is this what I'm seeing?
The SMTP "channel" is unbelievably dirty.
On our spamtrap, we see machines making _thousands_ of transactions that
consist of only:
HELO somevalue
QUIT
or:
HELO somevalue
MAIL FROM:<some email address>
QUIT
Where the parameters for all of the attempts are exactly the same. Ie:
50,000 "HELO my IP/QUIT" per day.
Perhaps 20-30% of all connections to the spamtrap show no discernible
purpose whatsoever - repeated connections with exactly the same
parameters, no attempts to deliver email, no attempts to dictionary, no
discernible effectiveness in trying to detect/exploit holes. Repeated
connections with _no_ commands.
What are they achieving by doing this over and over?
Who knows?
Probably broken spamware. Ie: something that expects a response to
EHLO, but the spamtrap 500's those, and keeps trying to deliver the same
thing over and over....
Maybe they're trying to DDOS the spamtrap. Singularly pointless - it's
on a honking big pipe (it's receiving 2-3Gb/hour as it is), and
PostFix's "smtp-sink" benchmarking tool can handle any volume anyone
throws at it. You'd have to saturate a partial DS3 to slow it down.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg