Gerben Wierda:
> Now that Finally have a postfix back with actual logging, I noticed this in
> my log:
>
> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from
> [182.99.42.88]:49546 to [192.168.2.66]:25
> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from
> [182.99.42.88]:49546: EHLO ylmf-pc\r\n
> Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from
> unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from
> unknown[182.99.42.88] ehlo=1 commands=1
This a very common spambot. Postfix sends
220-$smtpd_banner
and it talks before its turn with:
EHLO ylmf-pc
These bots are very stupid and very persistent. My maillog file for
today has 3500 of these, and that is with 6 more hours to go.
> I was wondering (just curious) what these (Chinese) types are
> actually trying to do.
Trying to send spam, with a borked SMTP implementation. This is
the most common postscreen pregreet pattern.
> It looks like polling based on the expectation that some other
> payload has corrupted my postfix. But I?m curious to what it really
> is (if known).
You are vastly overestimating this spambot.
Wietse
