Security Incidents mailing list archives
Re: Email Relay Searches
From: "Allen Smith" <easmith () beatrice rutgers edu>
Date: Sat, 30 Mar 2002 00:21:58 -0500
On Mar 29, 6:56pm, Pat Moffitt wrote:
I have been seeing a few of these and find them, well, interesting. 2002-03-29 00:14:18 refused relay (host) to <mattkell () 00264587623 com> from <mattkel () 00264587623 com> H=(12.144.138.34) [12.254.177.131] If you check you will find that 002645587623.com does exist. They are sending out email trying to relay through other servers and the hello has the server's address in it. So all they have to do is log all the H=(xx.xx.xx.xx)'s and they have a list of open mail relay servers.
Well, the first thing to do is to check whether this might be a legitimate relay-testing service (e.g., something like http://www.ordb.org, with the motivation being enabling people to block email from open relays); I doubt it, since I've certainly never heard of them. A whois check (see http://www.samspade.org for one convenient means of doing this) reveals that the registrant is "Matt Kelly", and a search for this name in news.admin.net-abuse.* reveals http://groups.google.com/groups?q=Matt+Kelly+group:news.admin.net-abuse.*&hl=en&scoring=r&selm=3C9FE994.B830F441%40ids.net&rnum=4 and the info that, no, this isn't legitimate, it appears to be a spammer.
Anything we can do about these?
Well, since this is going through AT&T, according to the IP address (translates to 12-254-177-131.client.attbi.com), complaining to them (abuse () attbi com) would be a start. Complaining to venturesonline.com (who hosts 00264587623.com) might also help, except that from the evidence locatable via news.admin.net-abuse.*, they appear not to care about spamming et al (I might mention that venturesonline.com blocks are listed on multiple blacklists, including SPEWS (see http://www.spews.org)), so going to their upstream, bbnplanet.net, might help - abuse () genuity net. -Allen -- Allen Smith http://cesario.rutgers.edu/easmith/ September 11, 2001 A Day That Shall Live In Infamy II "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Email Relay Searches Allen Smith (Mar 31)