Re: [anti-spam-wg] Semi-OT: XXXX SMTP command

[der Mouse mouse@localhost]

> Lately I see more and more hosts that send XXXX [as an SMTP verb].

> Anybody else seeing this

Oh yes.  At work we've been seeing it for months.  We had a data-losing
crash recently on that machine, so I can't check as far back as I
normally would, but I do have logs demonstrating that it goes back as
far as 2005-12-15, with no apparent rate increase or decrease.  Here's
a count of incidents by day for the data I have (for 01-12, this is
data up to now):

2006-01-12  8 ********
2006-01-11  4 ****
2006-01-10  9 *********
2006-01-09  4 ****
2006-01-08  8 ********
2006-01-07  3 ***
2006-01-06  4 ****
2006-01-05  4 ****
2006-01-04  9 *********
2006-01-03  6 ******
2006-01-02  3 ***
2006-01-01  5 *****
2005-12-31  2 **
2005-12-30  0 
2005-12-29  3 ***
2005-12-28  9 *********
2005-12-27  4 ****
2005-12-26  7 *******
2005-12-25  0 
2005-12-24 14 **************
2005-12-23  3 ***
2005-12-22  3 ***
2005-12-21  8 ********
2005-12-20  5 *****
2005-12-19  2 **
2005-12-18  7 *******
2005-12-17  2 **
2005-12-16  2 **
2005-12-15  6 ******

> or knows what fine piece of ^H^H^H^H^Hsoftware is doing this?

What little I've heard agrees with what someone else said here: that
it's some firewall's SMTP filter going awry.

At home, I don't recall ever seeing it (I'm doing a search of my logs
now, but it will take a while, as I have a thousand days of logs
there - nothing in the last 60 days).  But at home I do 90-second
banner delay, while at work only 5 seconds, and I suspect that it gives
up before sending the XXXX when faced with the long delay.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B