[Dshield] spam, security and this list

Chris Brenton cbrenton at chrisbrenton.org
Mon Dec 22 17:51:27 GMT 2003


On Mon, 2003-12-22 at 12:26, Johannes B. Ullrich wrote:
>
> Spam is frequently a security issue, and I will not cut any
> of the discussions off. But please keep in mind that this is
> a security list and try to limit spam discussions to security
> related issues.

With that in mind... ;-)

I just did a posting to NANOG and had this show up in my logs:

Dec 22 08:21:50 mailgate sendmail[492]: hBMDLnHS000492:
before-reporting-as-abuse-please-see-www.njabl.org [209.208.0.15] did
not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHS000495:
ruleset=check_rcpt, arg1=<relaytest at rr.njabl.org>, relay=rt.njabl.org
[209.208.0.15], reject=550 5.7.1 <relaytest at rr.njabl.org>... Relaying
denied
Dec 22 08:21:50 mailgate sendmail[495]: hBMDLoHT000495:
ruleset=check_mail, arg1=<relaytestsend at spammers_waste_oxygen;>,
relay=rt.njabl.org [209.208.0.15], reject=553 5.1.8
<relaytestsend at spammers_waste_oxygen;>... Domain of sender address
relaytestsend at spammers_waste_oxygen does not exist

There was about about 15 attempts total that tried to relay mail through
my SMTP server using different address variations. This was followed up
by a port scan that hit about 100 ports total, including Telnet,
X-Windows and RADIUS.

njabl.org runs a blacklist for known open mail relays. Someone that
subscribes to their service just joined the NANOG mailing list.
Apparently when you subscribe to the service anyone that sends you mail
(directly or via a list) that is not on their approved IP list gets
whacked with the above traffic. If the sender passes, your e-mail gets
accepted and you get added to their white list. I've even heard people
claim that they commonly troll random IPs in their effort to ID open
relays, even after receiving calls from the network admin contact asking
them to cease the activity.

I'm not posting this to start up a discussion about whether this method
is good or bad (I think it sucks but your mileage may vary). I'm posting
it as a heads up in case you see someone probing for open ports on your
network or trying to relay mail through your SMTP server, it might
actually be a "feature". ;-p

HTH,
C





More information about the list mailing list