On Thu, 26 Oct 2006, Joseph Brennan wrote: > Yesterday we had 57,510 of these from 29,312 different IP addresses. > Therefore they average less than 2 a day per IP. > > Many were to invalid addresses, some of them in a format that could > never have been a valid address in our domain. From a few that were > to valid addresses, and so had subject logged-- prescription drug spam.
Raise your sendmail loglevel if you want to see those invalid strings. I have been told that you need a level of 10 for this. I didn't try it myself. Below is a quote from a message on the comp.mail.sendmail usenet group. Looking at what goes on the wire, I see the host issuing EHLO and HELO commands with sinlge | as argument, or | followed by some URL. "EHLO |" or "EHLO |http://some-host/blah/blah";. After it's rejected, it attempts with HELO, and finally does "EHLO real-host". This is the point where sendmail logs the warning. I'm wondering why they're doing this. Is it a bug? Or are they trying to gain something with this. Is the possible gain high enough to compenste a possible lower delivery rate? And why a "|" ?. Are they trying to exploit some bug somewhere in a prog or script that handles messages or mail logs? Could those invalid addresses you saw "in a format that could never have been a valid address" make some sense in a scripting context? Regards, -- Kees Theunissen F.O.M.-Institute for Plasma Physics Rijnhuizen, Nieuwegein, Netherlands E-mail: [EMAIL PROTECTED], Tel: (+31|0)306096724, Fax: (+31|0)306031204 _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
