spam trend - domains that don't exist?

Steve Freegard steve.freegard at
Sat Apr 18 11:53:47 IST 2009

Kai Schaetzl wrote:
> Ken A wrote on Fri, 17 Apr 2009 19:57:46 -0500:
>> Here's a small sample of the rejected domains:
> They are probably old harvested email addresses, where even the domain or 
> subdomain (noe the many subdomains!) have long been gone.

Yep - not seeing that many here though:

214-2.0.0 070 mail-require-mx=7050 0.65%

So .65% of all MAIL FROM's seen did not have a valid MX record (so the
message could not be replied to) so these would be rejected.

214-2.0.0 071 mail-require-mx-error=22359 2.05%

Although 2.05% got a DNS lookup error (e.g. dead or broken DNS servers)
and these would therefore be tempfailed.

> What I find strange is that many bots send non-existing domains in HELO's. 

You don't have to send a valid domain in a HELO as long as it isn't a
bareword or a bare IP address (e.g. not a domain literal).

Typically the hostname of the machine is used for the HELO argument, so
you'll legitimately see things like 'host.domain.local' and
'' or other stuff due to internal DNS namespaces from
Active Directory and the like leaking out via the HELO/EHLO.

Top HELO's here:

   2997 h="<my host name>"  <--- Hosts HELOing as my own hostname
    782 h="localhost"
    141 h="dsldevice.lan"
    105 h="speedtouch.lan"

Obviously all of these are blockable as they aren't legitimate hostnames
for a remote mail server (e.g. the hostname is not going to be
dsldevice.lan or speedtouch.lan; the bot is just using the domain name
supplied by the DHCP service on these devices to evade detection within
that network).


More information about the MailScanner mailing list