These spammers use brute force techniques to hack into email accounts on servers that support remote authorization. Then they use those accounts to spread their garbage. They are smart enough to use different IP addresses, and they have learned to space out their login attempts to every 3 or 4 seconds, but that is where the intelligence ends. Here is a typical example:
1. 178.216.52.145 on port 3244|09:14:24
1. EHLO ylmf-pc
1. AUTH LOGIN
1. Closed.|09:14:24
Our server does not support AUTH LOGIN, and if they even bothered to look at the EHLO response, they would know that. And why would you use the same EHLO every time if you are trying to hack into a server? It doesn't make any sense, but they have been at it for quite a while now, so they must be doing something right.

J.A. Coutts