Skip to content

Spam bot behavior suddenly changes

By Ken Simpson | 1 minute read

One of the things that we keep track of with Traffic Control is the percentage of SMTP connections which end without the sender issuing a QUIT command as required by RFC 5321. Because the QUIT command is required by the RFC, it’s possible to reject and prevent delivery of messages from senders who violate this requirement. The impact on legitimate senders is extremely low, because all known legitimate MTAs properly issue a QUIT.

For a very long time, the percentage of connections that did not issue QUIT hovered around 0.25%. But for some reason, in the past day this figure has shot up. The graph below details this development:

This graph shows a recent spike in the percentage of connections passing through Traffic Control servers which are not correctly issuing the QUIT command to end an SMTP connection.

The data is the same whether we look at individual customer sites, at inbound-only traffic, or at outbound traffic emanating from large ISP sites where we have installed Traffic Control for transparent outbound spam filtering. Any ideas as to why this is happening? Anyone else seeing this trend?

Cut your support tickets and make customers happier