I have seen this on occasion. It appears to be a bad spam-bot. i.e. a grooup of infected PCs supposed to be blasting you with spam were incorrectly programmed/instructed and are instead doing what you described.
My evidence of this is that we track spam by source IP in real time, tracking average spam score, number of good vs bad recipients etc, and block the sending IPs in ip-tables in real time so they can not even connect. if an IP has never sent legitimate mail it gets blocked after only the fourth bad recipient for a short time, then longer, longer etc, until we are blocking them for days at a time. On any given day I see 10,000 to 15,000 IPs being involved in dictionary style attacks against us (we now have over 2,000 mail domains, so we are a big target). When I see the DOS style events you described it is the same sets of IPs, and I usually see real spam start coming from them after a while. John ----- Original Message ----- From: "David F. Skoll" <[EMAIL PROTECTED]> To: <mimedefang@lists.roaringpenguin.com> Sent: Wednesday, January 04, 2006 3:31 PM Subject: {SPAM} [Mimedefang] Strange activity > > Has anyone noticed some strange activity lately? Specifically, one of our > customers has been hit by hundreds or thousands of machines that open SMTP > connections to his boxes and then just sit there, leaving the connection > idle. This wreaks havoc by creating tons and tons of Sendmail processes. > > We fixed it by setting confTO_COMMAND to 3 minutes instead of the default one > hour; we're seeing about one connection every few seconds timing out (and > new ones coming into the start of the pipe, of course.) This is for a > smallish ISP. > > I'm wondering if it's an attack specifically on our customer, or if there's > a DDoS botnet (or a buggy spam-sending botnet) around? > > Typical Sendmail log excerpt (trimmed somewhat): > > 15:27:32 k04KOVAD016073: timeout waiting for input from [200.193.225.54] during server cmd read > 15:27:35 k04KOXAD016096: timeout waiting for input from adsl-153-140-231.cha.bellsouth.net during server cmd read > 15:27:36 k04KOWAD016072: timeout waiting for input from 80.178.87.220.adsl.012.net.il during server cmd read > 15:27:38 k04KOEAD015968: timeout waiting for input from abfh249.neoplus.adsl.tpnet.pl during server cmd read > 15:28:00 k04KOoAD016164: timeout waiting for input from [200.55.54.94] during server cmd read > 15:28:09 k04KP7AD016293: timeout waiting for input from 12-208-169-86.client.insightBB.com during server cmd read > 15:28:13 k04KP5AD016263: timeout waiting for input from 213-238-114-168.adsl.inetia.pl during server cmd read > 15:28:19 k04KPHAD016353: timeout waiting for input from f151173.upc-f.chello.nl during server cmd read > 15:28:31 k04KPSAD016412: timeout waiting for input from 82-46-163-134.stb.ubr02.chwo.blueyonder.co.uk during server cmd read > 15:28:31 k04KPUAD016422: timeout waiting for input from djz211.neoplus.adsl.tpnet.pl during server cmd read > 15:28:35 k04KP1AD016270: timeout waiting for input from 200164210160.user.veloxzone.com.br during server cmd read > 15:28:42 k04KPeAD016473: timeout waiting for input from xdsl-2217.elblag.dialog.net.pl during server cmd read > 15:28:57 k04KPnAD016543: timeout waiting for input from 80.178.139.180.adsl.012.net.il during server cmd read > 15:29:24 k04KQHAD016773: timeout waiting for input from 80.178.139.180.adsl.012.net.il during server cmd read > 15:29:45 k04KQiAD016923: timeout waiting for input from 20150212040.user.veloxzone.com.br during server cmd read > 15:29:51 k04KQoAD016953: timeout waiting for input from 82-170-159-208.dsl.ip.tiscali.nl during server cmd read > > Regards, > > David. > _______________________________________________ > NOTE: If there is a disclaimer or other legal boilerplate in the above > message, it is NULL AND VOID. You may ignore it. > > Visit http://www.mimedefang.org and http://www.roaringpenguin.com > MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang