[Dshield] Big Jump in Open Relay Mailers

Jon R. Kibler Jon.Kibler at aset.com
Mon Feb 2 21:02:14 GMT 2004


See inserted comments...

Brad Spencer wrote:
> 
> At 10:16 AM 2/2/2004 -0500, you wrote:
> 
> >Anyone have an solid information here?
> 
> Have you tried making a telnet connection to port 25 on a few of those to
> see what the banner says is the mailer?  

Looking at the banners is how I produced the list in the previous email.

> How is it you can tell they are
> open relays? - the headers could lie.  

They are tested open relays in NJABL and/or ORDB.

> How are the IPs distributed by ISP,
> by geographic location?

Distributed around the world.

> 
> It could be as simple as  a new spammer starting up or an old spammer going
> back to open relays.
> 

I doubt it. It seems likely that "something" has occurred to make secure systems open relays. Checking the testing timestamps in the various DNSBLs, it is clear that this is something that started late Thursday (GMT).


> If true open relays are being targeted that makes open relay honeypots a
> strong countermeasure.
> 

Assuming that spammers are picking open relays at random vs creating their own.

Also, I would like to add that all the open relays that we have reported to their owner's ISP have now either been closed or taken offline. At least here, the squeaky wheel is getting the grease!

Jon Kibler
A.S.E.T., Inc.




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list