>Last night we started getting these from 203.41.143.2. The email addresses >have been munged by me, but they were all addresses on our domain, and all >were either valid or really close to being valid - this wasn't a random >dictionary attack. Note that the RCPT comes first, then the VRFY on the same >address.
weird. not the way your averavge MTA uses VRFY. one or the other, not both. and once an VRFY gets a 502 (Command not implemented) the SMTP client should give up, not persist >I'm pretty much convinced that in this case they're people I don't want >talking to my servers. However, I was wondering if anyone had seen this >particular RCPT/VRFY sequence before - is there any legitimate software out >there that behaves like this or is it a dead giveaway that someone's motives >are less than pure? shoot now, ask questions later. Len
