strange behaviour from spammers

That sounds almost to corny to be taken serious. Let me explain. I’m tuning
my mailservers. Due to a sharp increase in spam during the last week things
started to creak and squeek. So turn up my logging, and start with the
low-hanging fruit first. More on that in a future post.

But browsing through logfiles I noticed a strange pattern of behaviour from
certain hosts:

Mar 29 18:57:27 mailfallback1 postfix/smtpd{14421}: NOQUEUE: reject:
RCPT from xxx-218-222-201.adsl.terra.cl{201.222.218.xxx}: 504 5.5.2
{usuario-10c7392}: Helo command rejected: need fully-qualified hostname;
from={knlgresqgef@ xxxxxxxx.com} to={az795113.1731@xxxxxxxx.nl} proto=ESMTP
helo={usuario-10c7392}
Mar 29 18:57:27 mailfallback1 postfix/smtpd{14421}: NOQUEUE: reject: RCPT
from xxx-218-222-201.adsl.terra.cl{201.222.218.xxx}: 504 5.5.2
{usuario-10c7392}: Helo command rejected: need fully-qualified hostname;
from={knlgresqgef@ xxxxxxxx.com} to={az9871@ xxxxxxxx.nl} proto=ESMTP
helo={usuario-10c7392}
Mar 29 18:57:27 mailfallback1 postfix/smtpd{14421}: NOQUEUE: reject: RCPT
from xxx-218-222-201.adsl.terra.cly201.222.218.xxx}: 504 5.5.2
{usuario-10c7392}: Helo command rejected: need fully-qualified hostname;
from={knlgresqgef@ xxxxxxxx.com} to={aza80@ xxxxxxxx.nl} proto=ESMTP
helo={usuario-10c7392}

and 8 more like that from that specific IP. After getting a reject (its HELO
hostname doesn’t resolve) it tried reusing the 11 open sessions for sending
mail to another account, and another, before closing the connection.
Obviously the zombie at the other end doesn’t parse responses.

Looking for more I found many thousands of identical patterned attemps from
as many different hosts over the last couple of hours. This seems to have
started a week ago, give or take a day. Always a relative fresh zombie,
though about half of them already made it to some kind of DNSBL.

Useless waste of bandwidth. Spammers stupid.

for google: multiple connect, mailserver, zombie, spammer, attack

Related Posts

Comments are closed.