Re: Strange SMTP sessions with 'helo=<large negative number>' syntax

From: mis@xxxxxxxxxx
Date: Thu, 29 Dec 2005 00:33:03 -0800

this has been going on for weeks.

i believe they're all open proxies or spambots.

(some of us use this as an oracle for open proxies.)

On Wed, Dec 28, 2005 at 04:39:14PM -0500, max wrote:
> Hello all,
> I find this inmy logs throughout the day today:
>
> Dec 28 16:35:52 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from pcp0012209034pcs.blairblvd.tn.nash.comcast.net[69.245.57.210]: 501 <-1217882552>: Helo command rejected: Invalid name; from=<shuu@xxxxxxxxxxxxxxxxxxxxx> to=<dylanfans-unsubscribe@xxxxxxxxxxxxxxx> proto=SMTP helo=<-1217882552>
>
> Notice that helo section is a negative number (which is why my postfix rejects the message)
> There are about 5 messages a minute at its peak, and this has been going on most of the day today (EST time zone)
> Some of the connecting IP's are listed in various black lists, such as OPM.
>
> Has anyone noticed this as well? Is this a virus or just some new spam tool?
> Some more rejected messages below:
>
> Dec 28 16:37:50 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from cpe-66-75-65-130.socal.res.rr.com[66.75.65.130]: 501 <-1218008120>: Helo command rejected: Invalid name; from=<Laudat@xxxxxxxxxxxxxxxxxxxxx> to=<dylanfans-unsubscribe@xxxxxxxxxxxxxxx> proto=SMTP helo=<-1218008120>
>
> Dec 28 16:37:54 finn postfix/smtpd[13320]: NOQUEUE: reject: RCPT from unknown[219.130.49.89]: 554 Service unavailable; Client host [219.130.49.89] blocked using opm.blitzed.org; Open proxy - see http://opm.blitzed.org/219.130.49.89; from=<burkel@xxxxxxxxxxxxxxxxxxxxxx> to=<max@xxxxxxxxxxxxxx> proto=SMTP helo=<-1209697480>
>
> Dec 28 16:38:10 finn postfix/smtpd[34627]: NOQUEUE: reject: RCPT from 194-144-9-218.du.xdsl.is[194.144.9.218]: 501 <-1209697480>: Helo command rejected: Invalid name; from=<brenno@xxxxxxxxxxxxxxxxxxxxxxxx> to=<max@xxxxxxxxxxxxxx> proto=SMTP helo=<-1209697480>
>
> Thanks,
>
> Max

Follow-Ups:
- Re: Strange SMTP sessions with 'helo=<large negative number>' syntax
  - From: Mike Davis

References:
- Strange SMTP sessions with 'helo=<large negative number>' syntax
  - From: max

Prev by Date: Strange SMTP sessions with 'helo=<large negative number>' syntax
Next by Date: Re: Strange SMTP sessions with 'helo=<large negative number>' syntax
Previous by thread: Strange SMTP sessions with 'helo=<large negative number>' syntax
Next by thread: Re: Strange SMTP sessions with 'helo=<large negative number>' syntax
Index(es):
- Date
- Thread

Relevant Pages

Re: Bjorgen Vs Scott tv coverage
... Don't fall to in love with these open proxies. ... They are the root of SPAM, VIRUS ...
(rec.skiing.nordic)
Re: Bjorgen Vs Scott tv coverage
... Don't fall to in love with these open proxies. ... They are the root of SPAM, VIRUS ... Are you saying an open proxy for email is the same thing as a ...
(rec.skiing.nordic)