From: Tony Earnshaw (tonnihetnet.nl)
Date: Mon Jan 01 2007 - 07:20:21 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Roman Novak - roman.novakiskrasistemi.si wrote:

> In last 2 weeks i am noticing enormous amounts of strange connections
> to mail server from all over the world. An example from logs:
>
> Jan 1 13:09:03 mercury postfix/smtpd[22974]: connect from
> 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
> Jan 1 13:09:03 mercury postfix/smtpd[22974]: lost connection after EHLO
> from 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
> Jan 1 13:09:03 mercury postfix/smtpd[22974]: disconnect from
> 157.Red-81-33-236.dynamicIP.rima-tde.net[81.33.236.157]
>
>
> Transcript of session follows.
>
> Out: 220 mercury.mydomain.net ESMTP something
> In: EHLO
> Out: 501 Syntax: EHLO hostname
>
> Session aborted, reason: lost connection
>
>
> Right now it is just filling my logs, but the amount is 2-3 times larger
> than normal volume of spam probes.
>
> Is anybody else getting this?

Not the volume you describe, but we do get that occasionally. We turn
away (refuse subnets) 3-400 bots a day. We analyzed the OSes on the
machines connecting to port 25 on our MTA using p0f and they are around
95% Windows XP/2000. I read the transactions regularly and it's obvious
that there are a number of different spammer software versions knocking
around - which do different things.

> Is this some new spam/malware going around and probing mail servers or
> can this be some mis-configuration or performance problem?

Looks like broken bot software to me. Spammer grandi rent out subnets of
bots and mugs install their own spammer software on them - that could be
subnets and bots anywhere in the world. rima-tde.net is one of the ISPs
we block completely.

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet.nl

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]