Made an interesting observation on Friday that spam bots don’t do a QUIT at the end of an SMTP session. Real email servers are polite and after the message is sent they send a QUIT commant to tell the receiving server to close the connection. Spam bots however don’t send the quit command because the message is sent and sending the quit just takes up time and bandwidth.

The new version of Exim now allows me to test to see if a QUIT has been sent or not and lets me feed my blacklist if certain conditions are met.  We don’t blacklist just on the lack of quit but it’s really accurate in itself. If it is combined with any other spam indicating sin then it can be blacklisted. As a result of this our blacklist has increased in size dramatically and a virus infected computer can be detected the first time it touches our system. I think that we are catching nearly 100% of all spam bot attempts on the first try.