I wrote:
> Adding to my suspicion is that I don't recall having seen one of these
> personally,
I take that back --- some digging in my mail logs shows that I have
gotten a few of these, but they went straight to /dev/null because
my spam filters thought they were a virus. Have you checked whether
that "gif" is really an image, rather than a bit of malware?
The mail-log trace of the last such attempt is pretty interesting too:
Dec 16 13:05:16 sss2 sm-mta[27362]: lBGI5G1g027362: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
Dec 16 13:05:16 sss2 sm-mta[27363]: lBGI5GFn027363: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
Dec 16 13:05:17 sss2 sm-mta[27365]: lBGI5HIe027365: infotecnica.com.br [201.35.247.5] did not issue MAIL/EXPN/VRFY/ETRN
duringconnection to MTA
Dec 16 13:05:52 sss2 sm-mta[27368]: lBGI5n2G027368: from=<root@infotecnica.com.br>, size=27892, class=0, nrcpts=1,
msgid=<200712161805.lBGI59uu016307@infotecnica.com.b
r>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=infotecnica.com.br [201.35.247.5]
Dec 16 13:05:52 sss2 sm-mta[27369]: lBGI5n2G027368: to="|/usr/local/bin/procmail -tYf- || exit 75 #tgl",
ctladdr=<tgl@sss.pgh.pa.us>(301/20), delay=00:00:02, xdelay=0
0:00:00, mailer=prog, pri=58095, dsn=2.0.0, stat=Sent
Since 11 December there are consistently three no-op connections before
anything actually happens, which adds a whole new layer of incompetence
that could be charged against whoever is running this, if it actually is
a mail server --- which I grow increasingly dubious of. I also see a
whole lot of connection attempts in the preceding months in which
nothing was *ever* sent, just "did not issue MAIL" reports in bursts of
three.
Looks like spamhaus.org was blocking them for portions of last month,
too, so other people have been unhappy about this as well.
Whoever these people are, I've seen enough; I'm off to add this IP
address to my local permanent blacklist.
regards, tom lane