This spambot attack is continuing to have a residual tail:

Current statistics are: 7713 messages greylisted from 3407 unique IPs.

The pattern followed by these bots seems to be that a message is attempted once from a given IP address, and this is blocked by postgrey. Occasionally one of these IPs will try more than once and be blocked by the greylist multiple times (the timeout is 7 minutes, after which the greylist manager allows all mail through). Many IPs simply give up at this point. Those which come back (having passed the greylist) attempt to send an email to an invalid user id.

So i decided to write a script that would detect the addresses that were greylisted and then attempted to send another email to an invalid IP address, and blacklist them in my firewall, Shoreline Firewall. The script is attached for anyone who is interested in playing with it.

This spambot doesn't seem particularly efficient at getting spam through. Throughout the peak time of the attack, my email account did not get even one new spam from one of these addresses. The user ids attempted are fairly random, and in my opinion, unlikely to ever produce a significant percentage of hits, even on a large mail server. On my server with 5 real accounts (4 of which come to me), it was a positive waste of time.

Another interesting thing is that the SMTP connection method seems to be inconsistent. Some systems used TLS to connect and others didn't. Those that did often produced connection log messages like the attached log, which suggests that most of these bots are compromised hosted servers, and the bot seems just to use the SMTP configuration of the host rather than a dedicated SMTP engine.