Marc Sherman wrote:
> Has anyone else noticed a huge spike in the number of connections
> dropped due to "too many syntax or protocol errors" lately? I've been
> seeing a tonne of them in the past couple weeks.
>
> Here's a sampling:
>
> 2007-01-22 23:31:12 SMTP call from (cacs.com.au) [189.2.25.19] dropped:
> too many syntax or protocol errors (last command was "MAIL
> FROM:<lehi@???>")
> 2007-01-22 23:33:16 SMTP call from
> 55.red-80-39-228.dynamicip.rima-tde.net (canberrafm.com.au)
> [80.39.228.55] dropped: too many syntax or protocol errors (last command
> was "MAIL FROM:<halber@???>")
> 2007-01-22 23:38:02 SMTP call from (fantasyworks.com) [58.230.213.77]
> dropped: too many syntax or protocol errors (last command was "MAIL
> FROM:<glas@???>")
>
> I suspect some new spammer botnet has come on line recently, and I
> wonder if this might be at all connected to Jason Meers' recent posting
> about web searches for exim exploits.
>
> http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20070115/msg00096.html
>
> - Marc
>
Just did a few greps, and no, no apparent increase here. Average of a few a day,
though they do seem to come in zombot bursts within short time slots.
FWIW, we enforce sync and have a lower permitted error count than default.
Notes:
- While there are various http(s)d running on many of our mail servers, wbesites
and traffic to same are 'de minimus'. Mostly 'placeholders'.
- At least one of the networks you cite, '*rima-tde.net' is blocked outright.
I haven't checked the others.
HTH,
Bill