Mailing List SIMS@mail.stalker.com Message #11929
From: ted crane <stalker@tedcrane.com>
Subject: Additional spam-detecting tools
Date: Fri, 18 Oct 2002 11:53:11 -0400
To: <sims@mail.stalker.com>
X-Mailer: Mozilla 4.77C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; U; PPC)
Recent observation of (non-SIMS) mail receiver log shows
three types of "interesting" activity:

1) Failed attempted relays, from various addresses to a limited set of
<RCPT TO>,
   obviously looking for open relays.
2) Short SMTP transactions, ending with <RSET>; no message sent, possibly
   just checking validity of local address.
3) Like (2), but ending with a disconnect instead of a <RSET>.

Further checking shows that while the "sending host" in case #1
may or may not be on a blacklist, the senders in cases #2 and #3
are almost always mentioned in SPEWS and other blacklists.  From a
limited corpus of experience, #2 and #3 seem to be a good proactive
research tool.

SIMS has a mechanism for handling and logging case #1, the attempted relay.
(The SIMS log shows activity similar to the other mail receiver,
but only one probe for every three on the other system).

Is there a mechanism for detecting case #2 and #3 in SIMS?
How is it logged?
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster