Hi, Last night we started getting these from 203.41.143.2. The email addresses have been munged by me, but they were all addresses on our domain, and all were either valid or really close to being valid - this wasn't a random dictionary attack. Note that the RCPT comes first, then the VRFY on the same address.
I didn't like the look of their website so after two of these runs I started 554ing them with a note to email postmaster if they wanted to get unblocked. No human contact yet, but another half-dozen runs. I'm pretty much convinced that in this case they're people I don't want talking to my servers. However, I was wondering if anyone had seen this particular RCPT/VRFY sequence before - is there any legitimate software out there that behaves like this or is it a dead giveaway that someone's motives are less than pure? Thanks, Evan Transcript of session follows. Out: 220 mailgw.uwi.com.au - ESMTP - Postfix In: HELO incnet.com.au Out: 250 mailgw.uwi.com.au In: MAIL FROM:<[EMAIL PROTECTED]> Out: 250 Ok In: RCPT TO:<address1> Out: 250 Ok In: VRFY address1 Out: 502 VRFY command is disabled In: RCPT TO:<address2> Out: 250 Ok In: VRFY address2 Out: 502 VRFY command is disabled In: RCPT TO:<address3> Out: 250 Ok In: VRFY address3 Out: 502 VRFY command is disabled Out: 421 Error: too many errors Session aborted, reason: too many errors
