On Sun, 11 Aug 2024 13:44:16 +0000, Slavko via mailop <mailop@mailop.org>
wrote:
>It is not big amount, nothing to worry about, i am just curious, if
>someone know what botnet/malware is behind that, as i cannot
>find any details about that. Please is it something known?
There is a wide variety of botnet activity, most of it startlingly inept.
One variety insists on "EHLO User", ignores "550 5.7.1 Sender unknown" then
sends AUTH LOGIN, having no idea how to interpret "500 5.0.0 Unrecognized
command". Eventually it gives up, to return 250 milliseconds later and try
again. Hundreds of these from dozens of compromised IPs dot the daily log.
Eventually the "not more than N connections in M minutes" rule sends the IP
away for a day or two.
Then there's the
<-- MAIL From:<www.johnb...@honet.com>
--> 530 5.7.0 Authentication required
<-- RCPT To:<www.johnb...@honet.com>
--> 503 5.5.1 Bad command sequence
<-- DATA
--> 503 5.5.1 Bad command sequence
show, repeated hundreds of time by dozens of compromised IPs.
The slightly less insane ones, apparently, notice the absence of "250-AUTH
LOGIN CRAM-MD5 PLAIN" in the banner (suppressed because of geolocated non-US
IP), do STARTTLS, notice no change in the banner, and quit. Only to return
again and insanely try again N-1 times.
I mercifully refrain from detailing the other whackitudes.
mdr
--
"There are no laws here, only agreements."
-- Masahiko
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
