[Dshield] Big Jump in Open Relay Mailers

Brad Spencer brad.madison at mail.tds.net
Mon Feb 2 22:46:57 GMT 2004

At 04:02 PM 2/2/2004 -0500, you wrote:
>See inserted comments...
>Brad Spencer wrote:
> >
> > At 10:16 AM 2/2/2004 -0500, you wrote:
> >
> > >Anyone have an solid information here?
> >
> > Have you tried making a telnet connection to port 25 on a few of those to
> > see what the banner says is the mailer?
>Looking at the banners is how I produced the list in the previous email.


> > How is it you can tell they are
> > open relays? - the headers could lie.
>They are tested open relays in NJABL and/or ORDB.

OK.  do either of those date (explicitly or implicitly) the first sighting?

> >
> > It could be as simple as  a new spammer starting up or an old spammer going
> > back to open relays.
> >
>I doubt it. It seems likely that "something" has occurred to make secure 
>systems open relays. Checking the testing timestamps in the various 
>DNSBLs, it is clear that this is something that started late Thursday (GMT).

If it's a variety of MTA's then doesn't the "something" have to be some 
sort of remote administrative access by the spammers?  It seems unlikely 
new exploits for a bunch of MTAs would all be found at once.

> > If true open relays are being targeted that makes open relay honeypots a
> > strong countermeasure.
> >
>Assuming that spammers are picking open relays at random vs creating their 

Yes. Absolutely.  If they are creating their own then it would probably 
take a true honeypot or honeynet to catch them.

>Also, I would like to add that all the open relays that we have reported 
>to their owner's ISP have now either been closed or taken offline. At 
>least here, the squeaky wheel is getting the grease!

That may be significant.  If they were old open relays the first thing 
you'd suspect is that the administrator has been warned more than once and 
has not acted.   If all got cleaned up quickly, on one (or no) complaint, 
that makes it more likely they are, as you surmise, fresh open relays.

This is all very interesting.  Too bad there's such a burden that comes 
with the interest.

Same thing spammed or many different things?  Perhaps this can be traced 
back to the spammer by what he spams and how contact is to be made.

If the more astute of the administrators who have cleaned up their problem 
could be persuaded to look in their MTA logs they might find something of 
interest (or might not - but checking logs is a good idea most of the 
time.)  Something at or around last Thursday...

More information about the list mailing list