[unisog] Looking for sites that are redirecting SMTP requests

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Tue May 13 17:38:04 GMT 2003


>And I doubt many institutions really want to block outbound 25.

>From what I can tell, although the Trojan and the incoming "seed" mail may 
come in on random high-numbered ports, the outgoing SMTP connections from 
the infected computer to the servers it is trying to spam is always 
through port TCP 25 outbound (which makes sense since it is trying to send 
mail to them).

I get a daily report that looks like this:

Local Mail Clients
IP  HostName  Connections  Incoming(bytes) Outgoing(bytes) Total(bytes)
137.099.026.003 uconnvm.uconn.edu 128,728 85,134,107 1,249,956,587 
1,335,090,694
137.099.033.089 ajax.phar.uconn.edu 046,343 33,830,988 0,081,253,708 
0,115,084,696
137.099.025.204 mail2.uits.uconn.edu 042,387 12,446,937 0,223,212,892 
0,235,659,829
137.099.133.016 d133h16.resnet.uconn.edu 034,872 36,840,475 0,144,405,170 
0,181,245,645

The first three computers are all known mail servers, but why is a ResNet 
computer opening 35,000 connections to remote mail servers in one day? 
Looking into the logs shows:

LocalIP RemoteIP Prot LocPort RemPort InBytes OutBytes InPckts OutPckts 
TimeStarted
137.099.133.016 063.246.129.100 6 7629 44514 0419 0395 06 05 08:22:17.
137.099.133.016 024.048.058.218 6 4988 00025 0281 0224 04 04 08:22:18.
137.099.133.016 063.246.129.100 6 7629 45532 0836 1187 11 13 08:22:20.
137.099.133.016 012.158.034.245 6 4991 00025 0857 0773 10 12 08:22:20.
137.099.133.016 063.246.129.100 6 7629 46540 2699 1391 14 14 08:22:24.
137.099.133.016 159.127.066.121 6 4998 00025 1211 2468 14 13 08:22:24.
137.099.133.016 159.127.066.121 6 0113 59261 0062 0054 01 01 08:22:24.
137.099.133.016 063.246.129.100 6 7629 47536 2619 1270 14 13 08:22:29.
137.099.133.016 065.054.166.230 6 5000 00025 1330 2442 17 14 08:22:29.
137.099.133.016 063.246.129.100 6 7629 48527 2693 1296 14 13 08:22:32.
137.099.133.016 206.191.000.249 6 1027 00025 1356 2540 17 14 08:22:32.

(I zero-padded the rows to line them up, so SMTP looks like port 00025.  I 
also removed some outgoing web browsing, which hopefully has nothing to do 
with this (but sort of looked spyware related - lots of small, regular 
connections to ad servers through port 80).  I did not anonymize the logs, 
since every single person who got spam from this computer has the IP 
anyway.)

Everytime external host 63.246.129.100 connected to our host on port 7629, 
our host send another piece of email out.  The last time I pulled one of 
these apart it was an email-carried Windows virus that opened that port. 
(And scanning that external host turns up some interesting ports.)

This computer sent 200,000 pieces of spam over the weekend before I 
blocked it Monday morning, and now I will get dozens of spamcop and other 
complaints over the next few weeks.  I blocked it as soon as I noticed it, 
but thus far we do not catch these as quickly as I would like.  "Bad" 
email is currently our largest security related problem, from the Klez, 
etc remail viruses and the plague of relays we see installed/exploited 
lately.

I am considering blocking outbound TCP 25 on ResNet for the Fall.  If 
students want to run a mail server or send mail through another ISP they 
would have to register it with us first.  I consider that a small price to 
pay for no more spam or virus-infected email originating from our 11,000 
ResNet computers.  If that block works well I am considering doing it for 
the whole University, after a thorough audit of our current legitimate 
mail servers.

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Thomas DuVally <thomas_duvally at brown.edu>
05/13/2003 09:48 AM

 
        To:     UNISOG <unisog at sans.org>
        cc: 
        Subject:        Re: [unisog] Looking for sites that are redirecting SMTP requests


Is there any evidence that these compromised systems are even using
inbound port 25?  I've seen at least one case were a high-number port
was used inbound to the open-relay.  I agree with blocking 25 inbound,
but it may only be a short term fix.  And I doubt many institutions
really want  to block outbound 25.

On Mon, 2003-05-12 at 16:27, Paul Russell wrote:
> As a result of recent incidents in which student computers were hijacked 
to
> send spam through remote open relays, we have been asked to investigate 
the
> feasibility of redirecting all SMTP connection requests from student 
systems
> to our central mail servers. I have been asked to find out whether any 
other
> educational institutions are doing this.
-- 
Thomas DuVally
Lead Sys. Prog.
CIS, Brown Univ.
401.863.9466






More information about the unisog mailing list