Wietse Venema:
> Gerben Wierda:
> > Now that Finally have a postfix back with actual logging, I noticed this in
> > my log:
> >
> > Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from
> > [182.99.42.88]:49546 to [192.168.2.66]:25
> > Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from
> > [182.99.42.88]:49546: EHLO ylmf-pc\r\n
> > Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from
> > unknown[182.99.42.88]
> > Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from
> > unknown[182.99.42.88]
> > Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from
> > unknown[182.99.42.88] ehlo=1 commands=1
>
> This a very common spambot. Postfix sends
>
> 220-$smtpd_banner
>
> and it talks before its turn with:
>
> EHLO ylmf-pc
>
> These bots are very stupid and very persistent. My maillog file for
> today has 3500 of these, and that is with 6 more hours to go.
Oh, and I do ENFORCE the pregreet test, so these bots never get
to talk to a Postfix SMTP daemon.
Wietse
> > I was wondering (just curious) what these (Chinese) types are
> > actually trying to do.
>
> Trying to send spam, with a borked SMTP implementation. This is
> the most common postscreen pregreet pattern.
>
> > It looks like polling based on the expectation that some other
> > payload has corrupted my postfix. But I?m curious to what it really
> > is (if known).
>
> You are vastly overestimating this spambot.
>
> Wietse
>
