AW: [Dshield] New Relay Exploit?

Brad Spencer brad.madison at
Wed Jan 7 18:57:59 GMT 2004

At 07:11 PM 1/7/2004 +0100, you wrote:
>What do you mean SMTP open relay exploitation is more a thing of yesterday's
>spammers ?
>And how would you use an open proxy for sending email ?

I'm not John, I'm new to this list today, and I've been concerned with open 
relay abuse by spammers for over 3 years.  Open relays may show a path back 
to the spammer, open proxies don't.   One way to use an open proxy for 
sending email is to go through it to contact an open relay.  If the spammer 
does that the trail leads back to the open proxy and stops there.  The 
advantage to a spammer of using an open proxy is that he is completely 
untraceable using message header information.

Up to May of last year I was watching the tests made by spammers to 
determine if a system to which I had access (and had managed before 
retirement) was an open relay.  For that first part of 2003 that system 
averaged about 4 spammer open relay tests per day.  What the figures would 
be today I can't say, but the blocked port 25 traffic reported to Dshield 
probably is mostly open relay test message attempts.  If the traffic from 
an IP in Taiwan is voluminous and is all blocked for that traffic in 
particular the better guess is that the Taiwanese spammer thinks the IP has 
an open relay and is wrong.

At home I watch for port 25 traffic using ZoneAlarm (I also have a hardware 
firewall: I deliberately pass port 25 so I can log it.  Attempts form other 
than Taiwan source IPs have gotten rare.  As I don't know each spammer's 
mind I don't know why I'm not seeing tests any more form most of the IP 
space, but it could be that most spammers have moved on, either to open 
proxies (which can, of course, also be used for the SMTP dialog direct to 
the victim's server) or dedicated zombie spam server software installed by 
the spammer via a Trojan Horse or other means.

While the spammer is untraceable using message header information many 
spammers do contact the open proxies they find directly form their 
own  IPs.  That means anyone alert enough to what the spammer is doing can 
learn his IP, report the abuse to the spammer's ISP, and perhaps see that 
the spammer gets booted.  That happened to Alan Ralsky for his network 
connection to his basement spam server farm last year.

More information about the list mailing list