Yes, the ones that pipeline commands when they've not requested it are typical of spammers.
I have sendmail's 'greetdelay' function enabled, which delays sending the initial greeting herald by 5 seconds after the connection opens, and flushes any mail where commands arrive before that time has elapsed. This pre-greeting-flush catches one or two senders a day, presumably spammers because they don't come back.
There are also those that connect and disconnect because they don't get the greeting fast enough for them. The RFCs suggest that the sender client should wait up to 3 minutes for the greeting herald but these senders are impatient with 5 seconds.
Watching the mail logs is tedious but informative. - Brian
On Wed, Oct 11, 2017 at 09:33:22AM +0200, Rob Janssen wrote:
When I ran my own mailserver I had greylisting that only worked by sender mail address. Additionally, it did the usual SPF checking etc.
This did not cause the abovementioned problem, but I'm not sure it added much spam prevention. I had other methods to detect trojaned PCs with bad SMTP senders (e.g. doing PIPELINING without having negotiated it) and that was much more effective.
Rob