Running exim 4.22 on armv4l with exiscan patch applied, I am seeing
several thousand log entries per day similar to:
2003-09-09 17:06:23 rejected HELO from pd951f633.dip.t-dialin.net
[217.81.246.51]: syntactically invalid argument(s): CE_HAMM
where the hostname and IP varies considerably. Tcpdump indicates that
the failed command is always one of:
EHLO CE_HAMM<CR><LF>
HELO CE_HAMM<CR><LF>
EHLO PERSONAL_DT<CR><LF>
HELO PERSONAL_DT<CR><LF>
The client always tries an EHLO first, exim returns a 501, then the
client tries HELO, exim returns another 501, then the client
disconnects abruptly. Several seconds later the same pattern repeats.
My guess is this is a spambot or virus of some sort, but I'm not sure.
I cannot find any record of these strings on Google or in the archives
here, so I am hoping someone can shed some light on this.
Incidentally, sending the same EHLO/HELO sequence to several other MTAs
does not produce a 501 (but probably should since it isn't a valid
hostname). Is it a case of Exim being more picky? Or are these magic
commands to unlock features in other MTAs?
--
Ralph Siemsen
www.netwinder.org
