AW: [Dshield] New Relay Exploit?
brad.madison at mail.tds.net
Wed Jan 7 18:57:59 GMT 2004
At 07:11 PM 1/7/2004 +0100, you wrote:
>What do you mean SMTP open relay exploitation is more a thing of yesterday's
>And how would you use an open proxy for sending email ?
I'm not John, I'm new to this list today, and I've been concerned with open
relay abuse by spammers for over 3 years. Open relays may show a path back
to the spammer, open proxies don't. One way to use an open proxy for
sending email is to go through it to contact an open relay. If the spammer
does that the trail leads back to the open proxy and stops there. The
advantage to a spammer of using an open proxy is that he is completely
untraceable using message header information.
Up to May of last year I was watching the tests made by spammers to
determine if a system to which I had access (and had managed before
retirement) was an open relay. For that first part of 2003 that system
averaged about 4 spammer open relay tests per day. What the figures would
be today I can't say, but the blocked port 25 traffic reported to Dshield
probably is mostly open relay test message attempts. If the traffic from
an IP in Taiwan is voluminous and is all blocked for that traffic in
particular the better guess is that the Taiwanese spammer thinks the IP has
an open relay and is wrong.
At home I watch for port 25 traffic using ZoneAlarm (I also have a hardware
firewall: I deliberately pass port 25 so I can log it. Attempts form other
than Taiwan source IPs have gotten rare. As I don't know each spammer's
mind I don't know why I'm not seeing tests any more form most of the IP
space, but it could be that most spammers have moved on, either to open
proxies (which can, of course, also be used for the SMTP dialog direct to
the victim's server) or dedicated zombie spam server software installed by
the spammer via a Trojan Horse or other means.
While the spammer is untraceable using message header information many
spammers do contact the open proxies they find directly form their
own IPs. That means anyone alert enough to what the spammer is doing can
learn his IP, report the abuse to the spammer's ISP, and perhaps see that
the spammer gets booted. That happened to Alan Ralsky for his network
connection to his basement spam server farm last year.
More information about the list