Hey Everyone... I have seen this constantly in my logs for days now. I
can start including the IP's in my block list but they are all over the
board. Have any of you seen this pattern and if so, can you give me some
advice on what it is and the best way to stop it?
Here is a log segment...
20061113 091747 127.0.0.1 SMTPD (7e8ba54000bea330)
[88.154.146.126] EHLO |http://mail.oldartero.com:8889/cgi-bin/put
this oldartero junk is everywhere by 10s of 1000s. Looks like a
bot-meister screwedup his bots and sent URL in the EHLO field with
always-illegal DNS characters.
Imail can't do it, but IMGate has a reject_unknown_hostname
("hostname" = helo hostname) or a more specific filter.
Sending IPs using oldatero as EHLO are waving a red flag at you,
confessing guilt:
"I'm a mail-bot-infected IP doing direct-to-MX spamming", so
harvesting these IPs into an access control file or weighting system
is one way to thank them for their honesty. :)
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
