[Mimedefang] Strange activity

[Jan Pieter Cornet]

On Thu, Jan 05, 2006 at 10:17:53AM -0500, David F. Skoll wrote:
> > Are you sure they just sit there after the initial connect? If so, you should
> > also see the "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"
> > message logged at the same time as the timeout.
> 
> Does Sendmail log that message if *it* closes the connection?  I thought it
> only did so if the client closes the connection.

Yes, at least, my own test against a 8.13.3 sendmail does so.
 
> They may not actually be sitting doing nothing.  I traced one which issued
> a RCPT command and then sat for over 10 minutes doing nothing.  I killed
> it after 10 minutes, so don't know if it ever would have issued another
> command.

It might be a spambot running on some lusers DSL connection who noticed
the strange activity (or his ISP did) and simply terminated the DSL connection
immediately. You'd be left (on your side) with a half-open TCP connection,
and not know about it until the timeout comes.

This might even be common for infected DSL machines where the user thinks:
"time for lunch, *click*".
 
-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet