[Dshield] Big Jump in Open Relay Mailers

Jon R. Kibler Jon.Kibler at aset.com
Mon Feb 2 18:16:44 GMT 2004


Bjorn Stromberg wrote:
> 
> MyDoom isn't just about DDoS'ing SCO, it's main purpose is to backdoor PCs
> so that the spammers can use them as open relays. Unless you are seeing real
> mail-servers as relays and not just dynamic IP's I would assume that all
> your new traffic is coming from MyDoom infected machines. The spammers may
> even try to clean up the mydoom infection after they installed a rootkit.
> 
> Bjorn Stromberg

No, these are REAL open relays... not open proxies. These are the organization's 
real, legitimate MTAs running as an open relay. We have seen Microsoft, Novell, 
Eudora, IMail, VopMail, and a half-dozen other vendor's MTAs running as open relays. 
Also, when submitted to ORDB, they test open, and many are first detected using
NJABL or ORDB as a DNSBL.

Bottom line... real mail servers are becoming 'corrupt' for some reason.
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list