[Dshield] Big Jump in Open Relay Mailers

Jon R. Kibler Jon.Kibler at aset.com
Mon Feb 2 23:29:32 GMT 2004


Brad Spencer wrote:
<SNIP!> 
> > > How is it you can tell they are
> > > open relays? - the headers could lie.
> >
> >They are tested open relays in NJABL and/or ORDB.
> 
> OK.  do either of those date (explicitly or implicitly) the first sighting?

Dates are the date that they first failed an open relay test. Usually means about the time they were first reported as an open relay.

> 
> > >
> > > It could be as simple as  a new spammer starting up or an old spammer going
> > > back to open relays.
> > >
> >
> >I doubt it. It seems likely that "something" has occurred to make secure
> >systems open relays. Checking the testing timestamps in the various
> >DNSBLs, it is clear that this is something that started late Thursday (GMT).
> 
> If it's a variety of MTA's then doesn't the "something" have to be some
> sort of remote administrative access by the spammers?  It seems unlikely
> new exploits for a bunch of MTAs would all be found at once.
> 
<SNIP!>

I was thinking it could be something under the MTA or around the MTA -- such as an AV package, an O/S patch, or something similar. 

At this point, all I have is speculation...

Jon Kibler
A.S.E.T., Inc.
Charleston, SC  USA




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list