Mailing List SIMS@mail.stalker.com Message #11930
From: Pete Stephenson <pete@heypete.com>
Subject: Re: Additional spam-detecting tools
Date: Fri, 18 Oct 2002 11:22:12 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
Recent observation of (non-SIMS) mail receiver log shows
three types of "interesting" activity:

1) Failed attempted relays, from various addresses to a limited set of
<RCPT TO>,
   obviously looking for open relays.
2) Short SMTP transactions, ending with <RSET>; no message sent, possibly
   just checking validity of local address.
3) Like (2), but ending with a disconnect instead of a <RSET>.

[snip]

Is there a mechanism for detecting case #2 and #3 in SIMS?
How is it logged?

As far as I know, no.

However, if a remote host tries to send mail to three non-existant addresses, SIMS will hold the line for 10 seconds. After that time elapses, if they get another address wrong, another 10 seconds. After that, another address, another 10 seconds. After the third time, it tempbans the remote host for 20 minutes.

It's quite effective, I've noticed, at stopping harvesters. It is these harvesters which are consuming most of the bandwidth on my server, scanning for addresses. Grr.
--
Pete Stephenson
HeyPete.com
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster