Jan 11 2004

A recent Postfix log on spamming attempt

I have received the following logs on my mail server regularly over the last 2-3 months, showing attempts of spammers trying to send me a junk mail. The log is generated by Postfix automatically, and send to my postmaster box.

 Out: 220 mx.yang.id.au ESMTP Postfix
 In:  POST / HTTP/1.0
 Out: 502 Error: command not implemented
 In:  Content-Type: text/plain
 Out: 502 Error: command not implemented
 In:  Content-Length: 1111
 Out: 502 Error: command not implemented
 In:  Host: mx.yang.id.au
 Out: 502 Error: command not implemented
 In:  X-Forwarded-For: [Spammer's fake real address]
 Out: 502 Error: command not implemented
 In:  Connection: Keep-Alive
 Out: 502 Error: command not implemented
 In:
 Out: 500 Error: bad syntax
 In:  RSET
 Out: 250 Ok
 In:  HELO yahoo.de
 Out: 250 mx.yang.id.au
 In:  MAIL FROM:<Spammer's fake Hotmail address>
 Out: 250 Ok
 In:  RCPT TO:
 Out: 554 Service unavailable; [Spammer's real IP] blocked using bl.spamcop.net,
     reason: Blocked - see http://www.spamcop.net/bl.shtml?Spammer's real IP
 In:  DATA
 Out: 554 Error: no valid recipients
 In:  To: <My real email address>
 Out: 502 Error: command not implemented
 In:  From: "eddie" <Spammer's another fake Hotmail address>
 Out: 221 Error: I can break rules, too. Goodbye.

Lines that appear in green are requests sent out by spammer’s program. Lines that appear in red are responses from my Postfix server. Fortunately I have used SpamCop as my RBL to block these offending SMTP transactions by the IP address they are originating. Interestingly that it tried to issue HTTP commands when it first connects to the mail server. It does a POST to the root index, and obviously Postfix would not handle it. I wonder whether it is trying to find some exploits against unsecured mail server, testing for a open proxy server running at port 25 (why would people do that) or something else. Another interesting observation is the response given by Postfix – instead of dropping the connection after first few invalid commands have been entered, it actually allows the spammer to continue and issue a RSET to change conversation back to SMTP protocol. The connection should have been dropped after a few lines of bogus requests.

I did not go and look up the IP address of the offending host, but I suspect that it is probably one of the machines that have been infected by virus, and thus bow down to their dark lord, hmm, I mean spammer. Pitty that these zombies around the world have been aiding the ugly business of sending junk mails…

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>