This domain (and quite a number of related ones) apparently exists for e-mail address verification. The attempts to send to non-existent addresses probably are meant to better separate server policy rejections from genuine recipient-does-not-exist rejections.
My policy is to reject everything from those guys at the CONNECT stage, even before they get to send a MAIL FROM. Handling identity data such as mail addresses in ways that can't be validated for GDPR lawfulness is good enough reason to block IMHO. Cheers, Hans-Martin Am 6. Oktober 2025 10:56:13 schrieb Jaroslaw Rafa via mailop <[email protected]>: > Hello, > since some time I was observing in my email logs numerous attempts to send > mail to non-existent addresses on my server from hosts resolving in DNS as > mail.*.tritontrollius.com, where various strings appear in place of "*". > > Because of this, quite long ago I blocked all these hosts in client_access > table. But since yesterday, I observe a flood of these attempts, hundreds > of them. They usually come in pairs, and they look like this example: > > Oct 6 01:52:05 rafa postfix/smtpd[26266]: NOQUEUE: reject: RCPT from > mail.woodrowartibee.tritontrollius.com[185.55.189.3]: 554 5.7.1 > <mail.woodrowartibee.tritontrollius.com[185.55.189.3]>: Client host rejected: > Access denied; > from=<athena.seppelt+gary.hillhouse=rafa.eu....@mail.woodrowartibee.tritontrollius.com> > to=<[email protected]> proto=ESMTP > helo=<mail.woodrowartibee.tritontrollius.com> > Oct 6 01:52:05 rafa postfix/smtpd[26266]: NOQUEUE: reject: RCPT from > mail.woodrowartibee.tritontrollius.com[185.55.189.3]: 554 5.7.1 > <mail.woodrowartibee.tritontrollius.com[185.55.189.3]>: Client host rejected: > Access denied; > from=<athena.seppelt+gary.hillhouse=rafa.eu....@mail.woodrowartibee.tritontrollius.com> > to=<[email protected]> proto=ESMTP > helo=<mail.woodrowartibee.tritontrollius.com> > > The first message is always from > "name.surname+something=rafa.eu....@mail.somename.tritontrollius.com" to > "[email protected]" (where "something" is the same as in the sender > address, in this case "gary.hillhouse"), the second one is from the same > sender to "[email protected]" ("randomstring" always being random > alphanumeric string). > > I wonder, what they want to achieve? They send to very specific addresses > (like "gary.hillhouse"), not some generic names like eg. "john", so it's > almost guaranteed the address won't exist. It's even more guaranteed for a > random alphanumeric string like "hl2tsrrvugb". It doesn't seem to me like > brute-force address guessing. Rather they have some specific source for > these addresses. The structure of the sender address suggests that they > expect some replies to these messages and want to process them somehow. > What is their goal? I don't understand... Can anybody comment on this? > -- > Regards, > Jaroslaw Rafa > [email protected] > -- > "In a million years, when kids go to school, they're gonna know: once there > was a Hushpuppy, and she lived with her daddy in the Bathtub." > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
