incorrect spam setups cause spool messes on forwarders

Suresh Ramasubramanian suresh at
Tue Dec 2 14:37:06 UTC 2003

Valdis.Kletnieks at  writes on 12/2/2003 9:32 AM:
> On Tue, 02 Dec 2003 19:23:41 +0800, Suresh Ramasubramanian <suresh at>  said:
>>What they are trying to do is to connect back to's MXs and ensure
>>that the user <sgswretyshsdhtest at> who is trying to send them mail
>>really does exist, and is not just a figment of some spambot's imagination.
> And they tell that how, exactly, given that many sites do NOT allow VRFY or EXPN?

MAIL FROM: RCPT TO: QUIT: is precisely what they are doing.

Nobody except spammers / dictionary attackers seem to VRFY these days 
for this sort of stuff.  In fact grepping your logs for VRFY is often a 
reliable sign of a dictionary attack on your machines.

> I suppose they could do a MAIL FROM/RCPT TO pair, look at the result, and
> QUIT instead of DATA.  Of course, that would be silly, because if it ever ran
> into another site that tried the same thing, that site would try to call back
> and do a MAIL FROM/RCPT TO...

MAIL FROM: <> typically, or from a sender that does not return callbacks 
to it ... so no danger of loops getting set up. Thank God for small 
mercies, I guess.


srs (postmaster|suresh) // gpg : EDEDEFB9
manager, security and antispam operations

More information about the NANOG mailing list