I've been running a mail-server for more than 10 years, using the "quaint" but very reliable and bullet-proof software known as "Post.Office" made by the long defunct "Software.com" company. I do not have it connected to any third-party anti-spam solution (probably not possible anyways) but I do maintain a rather length list of IP net-blocks that I add to daily that it will reject SMTP connections from.
So I've come here to ask the following non-Spamcop question about remote machines that perform SMTP connections (port 25) to my server that just time-out without anything else appearing to happen.
I see this happen several times a day, but 99.9% of the time it's just a single SMTP connect/timeout pair, repeated maybe 3 or 4 times over a 24 hour period from different IP addresses. Sometimes, instead of a single connect/timeout, it will be a string of maybe a dozen.
Then maybe once every other month I'll see a sequence of hundreds or even a few thousand connects/timeouts - like what happened yesterday morning.
This is on my SMTP server. Here's an example:
The "9:0:22" means
- the time of the total connection (9 seconds)
- the number of messages exchanged (zero)
- the total amount of data transferred (22 bytes)
Between 4:35 am until 8:35 am (exactly 4 hours to the second) my server was answering SMTP connect requests from 220.127.116.11, a total of 2204 attempts which works out to an average of one attempt every 6.5 seconds.
I have no idea what was contained in the 22 bytes that was supposedly transfered - they are not logged.
A graph of the time between connections over the 4 hours shows quite erratic times for the first 1/2 hour, alternating between 3 to 12 connections per second and then nothing for 1 to 2 minutes before repeating. Then during the next 3.5 hours it settles very quickly into a tighter spread of between 2 to 12 seconds between connections.
Also during the first half-hour, the connect-time rises quickly to 80 seconds, then levels off at 120 seconds, and then falls quickly to a rock-solid floor of 9 seconds during the remaining 3.5 hours.
For the first 4 or 5 attempts, the number of bytes transferred was 22, but then drops to 0 during the first 1/2 hour, then goes right back to 22 bytes for the remaining 3.5 hours.
If these were attempts to deliver email to non-existent accounts, or relay attempts to other domains (both of which I've seen happen) they would be indicated as such in the log files (which I don't see here). So what-ever is happening during these connections is not the result of a dictionary attack or a relay attempt.
So I'm wondering what is really going on here.
Is this a DoS attempt on my server from a single IP (18.104.22.168) or from multiple computers - all of which are forging the same IP?
If the IP is being forged - would it cause my server to generate responses aimed at 22.214.171.124 - which would be a way to use my server as DoS tool against 126.96.36.199 ?
Or is this all this a (known) symptom of a broken spam-bot?