On Sat, Mar 08, 2025 at 12:08:15PM +0100, Jaroslaw Rafa via mailop wrote: > Dnia 7.03.2025 o godz. 20:39:47 John Levine via mailop pisze: >> I have a fake auth on port 25. Local users sending mail do real auth on >> port 465 or 587. >> I get plenty of bot auth traffic on port 25. > But why bother about auth attempts on port 25 if we can just turn off auth > on that port?
Botnets will attempt AUTH on port 25 even if AUTH was not advertised in the EHLO response. This shouldn't come as a surprise: typical botnet authors haven't even heard of RFCs, much less read one, and instead blindly cut-and-paste other script kiddies' barely-working code without understanding any of it. This means that the use of AUTH on port 25 is a very strong signal that the particular IP address is part of a botnet. Having botnets identify themselves so easily is to be encouraged. What a mailserver operator then does with this information is up to them. Some may choose to put in the effort to wind up the botnet operator by pretending AUTH was successful then relaying the probes but dropping the actual spam run. Most don't have the time for that and would e.g. just add the IP address to a blacklist and get on with their day. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
