I’ve been getting slammed with spam lately. It’s all to a handful of spamtraps on a few domains I have, so it’s actually wonderful that it’s happening, because none of it hits my inbox; spammers are just adding themselves to a blacklist.
I’ve been watching logs and connections, and noticed that a lot of clients are sending bizarre HELO strings in all upper-case with random letters. The pattern seems vaguely familiar, and “Windows workgroups” is coming to mind. Do these hostnames look like that? If not, anyone have a clue what is generating these?
- helo=<PAXCUKKG>
- helo=<NYQYUOMZL>
- helo=<LMVXJTSES>
- helo=<CKIXNPSWT>
- helo=<XAXFJJYARI>
- helo=<PVXXAZG>
- helo=<JAEGSJZG>
- helo=<ROEXRPII>
- helo=<BOAQJJLY>
- helo=<SHVRBJWD>
- helo=<ABFCMWVYB>
- helo=<TJMTPVEWS>
- helo=<MZPLTGALG>
Incidentally, this argues towards the use of the reject_non_fqdn_helo_hostnames parameter, except that in my case, it would just block them from hitting a spamtrap. (Although really, a very small minority of good mailservers are thought to be misconfigured and identify themselves without an FQDN HELO, so this isn’t 100% safe.)
When I get around to it, I think I want to set my new server up with a little FreeBSD virtual machine and use spamd to torture spammers by talking to them at 1 byte/sec.