I have received the following logs on my mail server regularly over the last 2-3 months, showing attempts of spammers trying to send me a junk mail. The log is generated by Postfix automatically, and send to my postmaster box.
Out: 220 mx.yang.id.au ESMTP Postfix In: POST / HTTP/1.0 Out: 502 Error: command not implemented In: Content-Type: text/plain Out: 502 Error: command not implemented In: Content-Length: 1111 Out: 502 Error: command not implemented In: Host: mx.yang.id.au Out: 502 Error: command not implemented In: X-Forwarded-For: [Spammer's fake real address] Out: 502 Error: command not implemented In: Connection: Keep-Alive Out: 502 Error: command not implemented In: Out: 500 Error: bad syntax In: RSET Out: 250 Ok In: HELO yahoo.de Out: 250 mx.yang.id.au In: MAIL FROM:<Spammer's fake Hotmail address> Out: 250 Ok In: RCPT TO:
Out: 554 Service unavailable; [Spammer's real IP] blocked using bl.spamcop.net, reason: Blocked - see http://www.spamcop.net/bl.shtml?Spammer's real IP In: DATA Out: 554 Error: no valid recipients In: To: <My real email address> Out: 502 Error: command not implemented In: From: "eddie" <Spammer's another fake Hotmail address> Out: 221 Error: I can break rules, too. Goodbye.
Lines that appear in green are requests sent out by spammer's program. Lines that appear in red are responses from my Postfix server. Fortunately I have used SpamCop as my RBL to block these offending SMTP transactions by the IP address they are originating. Interestingly that it tried to issue HTTP commands when it first connects to the mail server. It does a POST to the root index, and obviously Postfix would not handle it. I wonder whether it is trying to find some exploits against unsecured mail server, testing for a open proxy server running at port 25 (why would people do that) or something else. Another interesting observation is the response given by Postfix - instead of dropping the connection after first few invalid commands have been entered, it actually allows the spammer to continue and issue a RSET to change conversation back to SMTP protocol. The connection should have been dropped after a few lines of bogus requests.
I did not go and look up the IP address of the offending host, but I suspect that it is probably one of the machines that have been infected by virus, and thus bow down to their
dark lord, hmm, I mean spammer. Pitty that these zombies around the world have been aiding the ugly business of sending junk mails...