Our spam auditors noticed that a variation on a previous bot that simply opened up a HELO and then quit has surfaced, similar to the ylmf-pc bot.

All it does it send a HELO greeting, usually from www.randomchars.com, and then disconnects, and it does this multiple times per second. It could be a broken bot, but it can cause a DOS like situation by consuming too many processes on your mail servers.

This is one of those cases where ‘filtering’ isn’t going to help you, but the use of IP Reputation Lists can, especially if they are used at the edge or pre-smtp.

A short sampling of the attack vector showed that the IP(s) were all of Japanese origin, which is unusual for a bot pattern. The following represents counts/ip address. The rDNS pattern is often the same www.randomchars.com, but it also is quite often sub0000539056.hmk-temp.com

100 153.122.46.91
425 153.120.38.62
493 153.122.47.127
543 49.212.185.189
563 153.120.39.224
679 153.122.47.71
702 153.122.47.4
1179 153.121.74.43
1243 153.120.39.69
1247 203.189.96.206
1389 153.122.47.153
1405 157.7.142.102
1645 203.189.97.161
1816 103.3.188.171
2364 153.121.74.48
2458 153.122.47.47
2570 157.7.143.11
2822 153.120.38.122
3186 153.122.47.154
3288 203.189.96.203