[Dshield] SMTP question

Jon R. Kibler Jon.Kibler at aset.com
Wed Mar 19 15:56:35 GMT 2003


Paul Marsh wrote:
> 
> This morning I noticed the following in my Exchange logs.  It's happening ever 30 minutes and started last night around 10:00.
> 
> 2003-03-19 12:54:00 66.73.93.182 - SMTPSVC1 OPUS xxx.xxx.xxx.xxx 0 HELO - +. 501 0 27 6 16 SMTP - - - -
> 2003-03-19 12:54:00 66.73.93.182 - SMTPSVC1 OPUS xxx.xxx.xxx.xxx 0 QUIT - - 0 110 27 6 63 SMTP - - - -
> 
> 2003-03-19 13:23:50 66.73.93.182 - SMTPSVC1 BANANA-JR-6K xxx.xxx.xxx.xxx 0 HELO - +. 501 0 27 6 0 SMTP - - - -
> 2003-03-19 13:23:50 66.73.93.182 - SMTPSVC1 BANANA-JR-6K xxx.xxx.xxx.xxx 0 QUIT - - 0 109 27 6 47 SMTP - - - -

This pattern is typical of a system running an open proxy server used by spammers to send their junk. The usual pattern is that they scan for MTAs and record the domain names of all MTAs found. They then search their address databases for all email addresses in that domain and later go back and try to spam the domain in question. I'll bet that within the next two weeks, and probably within the next few days, you receive spam that originates from the above IP.

I will add that it is unusual that they are scanning more than once. However, they may have a serious configuration error that is causing the repeated scans.

I did a quick check for open proxies and got immediate rejects (as well as a refused connection on port 25). From past experiences, this typically indicates either a proxy server that someone is running with access restricted to a few originating IPs, or a proxy server that is so heavily loaded that it cannot accept new connections.

> 
> 66.73.93.182 resolves out to an adsl user on ameritech.net
> 
> adsl-66-73-93-182.dsl.chcgil.ameritech.net
> 
> I did a quick scan and found port 25 and 110 open so I'm hoping this is just a home user that's installed a mailserver on his/her machine to play with?

The ARIN database reports the following entry for the above IP:
> CustName:   Advanced Learingin Institute
> Address:    6445 Clark St.
> City:       Chicago.net...
> StateProv:  IL.arin.net...
> PostalCode: 60605
> Country:    US
> RegDate:    2001-08-28
> Updated:    2001-08-28
> 
> NetRange:   66.73.93.176 - 66.73.93.183
> CIDR:       66.73.93.176/29
> NetName:    SBCIS-101828-161228
> NetHandle:  NET-66-73-93-176-1
> Parent:     NET-66-72-0-0-1
> NetType:    Reassigned
> Comment:
> RegDate:    2001-08-28
> Updated:    2001-08-28

If I was you, I would try to get a phone number for the above organization, then call and ask them why they are repeatedly scanning your MTA (when calling, ask for their "computer security person"). I suspect that if they are running an open proxy server, they are totally unaware of it -- that someone has hacked one of their systems and installed the proxy server without their knowledge.

Good luck and let us know what you find!

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA



> 
> Thanx, Paul
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list