{"id":2078,"date":"2009-07-17T22:04:12","date_gmt":"2009-07-18T02:04:12","guid":{"rendered":"http:\/\/blogs.n1zyy.com\/n1zyy\/?p=2078"},"modified":"2009-07-17T22:04:12","modified_gmt":"2009-07-18T02:04:12","slug":"what-are-these-hostnames","status":"publish","type":"post","link":"https:\/\/blogs.n1zyy.com\/n1zyy\/2009\/07\/17\/what-are-these-hostnames\/","title":{"rendered":"What are these hostnames?"},"content":{"rendered":"<p>I&#8217;ve been getting <em>slammed<\/em> with spam lately. It&#8217;s <em>all<\/em> to a handful of spamtraps on a few domains I have, so it&#8217;s actually wonderful that it&#8217;s happening, because none of it hits my inbox; spammers are just adding themselves to a blacklist.<\/p>\n<p>I&#8217;ve been watching logs and connections, and noticed that a lot of clients are sending bizarre HELO strings in all upper-case with random letters. The pattern seems vaguely familiar, and &#8220;Windows workgroups&#8221; is coming to mind. Do these hostnames look like that? If not, anyone have a clue what is generating these?<\/p>\n<ul>\n    <li>helo=<PAXCUKKG><\/li>\n    <li>helo=<NYQYUOMZL><\/li>\n    <li>helo=<LMVXJTSES><\/li>\n    <li>helo=<CKIXNPSWT><\/li>\n    <li>helo=<XAXFJJYARI><\/li>\n    <li>helo=<PVXXAZG><\/li>\n    <li>helo=<JAEGSJZG><\/li>\n    <li>helo=<ROEXRPII><\/li>\n    <li>helo=<BOAQJJLY><\/li>\n    <li>helo=<SHVRBJWD><\/li>\n    <li>helo=<ABFCMWVYB><\/li>\n    <li>helo=<TJMTPVEWS><\/li>\n    <li>helo=<MZPLTGALG><\/li>\n<\/ul>\n<p>Incidentally, this argues towards the use of the <a href=\"http:\/\/www.postfix.org\/postconf.5.html#reject_non_fqdn_helo_hostname\">reject_non_fqdn_helo_hostnames<\/a> parameter, except that in my case, it would just block them from hitting a spamtrap. (Although really, a very small minority of good mailservers are thought to be misconfigured and identify themselves without an FQDN HELO, so this isn&#8217;t 100% safe.)<\/p>\n<p>When I get around to it, I think I want to set my new server up with a little FreeBSD virtual machine and <a href=\"http:\/\/www.benzedrine.cx\/relaydb.html\">use spamd to torture spammers<\/a> by talking to them at 1 byte\/sec.<\/p>","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been getting slammed with spam lately. It&#8217;s all to a handful of spamtraps on a few domains I have, so it&#8217;s actually wonderful that it&#8217;s happening, because none of it hits my inbox; spammers are just adding themselves to &hellip; <a href=\"https:\/\/blogs.n1zyy.com\/n1zyy\/2009\/07\/17\/what-are-these-hostnames\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2078","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts\/2078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/comments?post=2078"}],"version-history":[{"count":0,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/posts\/2078\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/media?parent=2078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/categories?post=2078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.n1zyy.com\/n1zyy\/wp-json\/wp\/v2\/tags?post=2078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}