[Dshield] Big Jump in Open Relay Mailers

Jon R. Kibler Jon.Kibler at aset.com
Mon Feb 2 15:16:23 GMT 2004


Hello all,

Well, it appears that open relays are once again suddenly a problem. For about the last year, we have been detecting 2 or 3 different open relays per hour as spam sources, and we have been finding about 1 or 2 new, previously unreported, open relays per day. (We find the majority of spam originates from open proxy servers, or from password compromised mail servers.)

Starting late Friday, and through Sunday (don't have any info on today), we saw a big jump in the number of open relays. We are now seeing spam originate from about a dozen different open relays per hour, and we have been finding 1 or 2 new open relays per hour.

We were wondering if anyone had any ideas why the sudden jump? 

Our initial thought was that someone had released a new version or patch to some mail server, that left it an open relay, but checking the MTA signatures, we are finding several different vendor's products. 

Other thoughts... but ones we cannot test, include:
  1) A new exploit that takes advantage of some common configuration mistake (such as setting relaying on sender or connection domain name, instead of connection IP address).
  2) New malware that changes the mailer's configuration to make it an open relay.
  3) New malware that installs an open relay mailer onto a hacked system.
  4) Installing new AV software that somehow turns the MTA into an open relay.

Anyone have an solid information here?

TIA for any info you may have.
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list