Spammer Weirdness: Trapping The Trap

Posted by: admin  :  Category: Bits and Bytes

Today I noticed this line in my message log:

Apr 26 08:19:38 gmc-mxd-bsd-001 postfix/smtpd[80576]: NOQUEUE: reject: RCPT from unknown[]: 554 Relay access denied; proto=SMTP

It’s not new to me how spammers dig for open SMTP relays. I wonder though that their providers wouldn’t notice such an obvious thing like “” by its name and pay attention to it.

Even though we don’t have millions of mailboxes at my company, regurlar pattern matching is run against our database to find the more obvious ones.

Maybe it won’t do any harm to anyone if IP addresses that try unauthorized relaying in globo were to be blacklisted right away.

5 Responses to “Spammer Weirdness: Trapping The Trap”

  1. SomeGuy Says:

    I actually wonder if perhaps Google is just checking mail servers for open relays in order to build a blocklist at I’ve seen this exact same relay attempt by in 2 different mail servers I manage both within the past couple of days!

  2. delmatto Says:

    This is very unlikely because of three reasons:

    #1 the source IP is from KORNET (Korea)
    #2 the source IP lacks a dns reverse pointer
    #3 Google confirmed this beeing a user account

    In general one could assume Google would not use
    a korean IP address even if they did a search for open relays.

  3. insider Says:

    Hey there bud. This actually has nothing to do with this current article. Rather, I thought I’d share a funny story.
    So today, one of my buddies sent me a link to your site. Specifically, an April 06 entry.
    And yeah, I just wanted to congratulate you on killing my old seed e-mail account awhile back(msgtrap2).
    I use it to test the effectiveness of spam blacklists (njabl, spamhaus, spamcop, you name it), and yeah. I was quite impressed that someone finally noticed and did something about it.
    I’m sure you’ll be happy to know, the gmail did eventually disconnect the account, an action that had not occured before or since. Of course, it didnt take long to get a new one (yay gmail spoolers), but still. Impressive.
    And before you hop on that whois site, I feel you should know that yes, this server is not home computer. It’s from a friend’s server(yes, it is spam blacklisted). Regrettably, these are the only types of computers I can test from. Also, before you say it, I’m pretty aware that this type of activity can be somewhat bothersome, but as far as I know at least, it doesnt do a lot of real harm.
    I’ll check back, see if you respond.

  4. delmatto Says:

    Well, thank you for your feedback on that matter.

    I’m sure others have noticed this before, too.
    Most of them if not all surely have not paid too
    much attention to it.

    There’s a lot of crap email traffic these days…

  5. insider Says:

    yeah. The scanners have no been going for almost an entire year. Only msgtrap2 has been shut down. Despite how openly available the e-mail address was, no one has ever sent a complaint e-mail. I just thought it was interesting to see. And also, by the way, I can say with relative certainty, that I am probably the only person who scans with any real intensity who is left. Spammers don’t really use open relays frequently anymore.