Security Incidents mailing list archives

RE: SMTP Scans


From: "Rob Shein" <shoten () starpower net>
Date: Mon, 21 Apr 2003 18:50:33 -0400

The question that first comes to mind is, are you sure this is BT-sponsored
activity?  What has the ISP response been, and in what way was it vague?
The few later connect attempts from what should be a RADIUS server are kind
of odd for an open relay scan.  Also, is the abuse email address for BT
actually bt.abuse () bt com, or is it just abuse () bt com?  It could be someone
with a cheesy police uniform rattling doors, hoping that nobody recognizes
his true intent... 

-----Original Message-----
From: Hoof Hearted [mailto:capbligh2001 () hotmail com] 
Sent: Sunday, April 20, 2003 7:07 AM
To: incidents () securityfocus com
Subject: Re: SMTP Scans


Hi All,

Firstly, thanks to the Moderator for bouncing the 1st draft of this :-) my 
thoughts and comments after being woken for the 3rd
night in a row with my IDS going off produced more vitriol than coherence 
and were, on reflection, best not posted. Hopefully this draft is more 
informative.

I'd appreciate any thoughts from list subscribers on the following:

For the last few months our ISP (BT) has apparently been scanning our mail 
servers for open relays, this is happening up to
12 times a day across both Primary & Secondary mail servers.

My concerns are twofold; firstly, that I see no good reason to run the scans

so frequently; and secondly, by
nominating the postmaster account and attempting to gain access to it (to my

mind) it goes from a relay scan
(something I find marginally acceptable) to an attempted hack (something I 
definitely do NOT find acceptable).

To attempt an analogy, I view this a similar to a Policeman rattling doors. 
I'm sure few would object to any Policeman checking to
see if doors are locked, however, there's a big difference between 'rattling

doors' and 'attempting to gain entry'.

It may well be that the scans are entirely innocent, the problem is that 
they look decidedly suspicious in the logs.
For example, why would an ISP like BT use one of it's ADSL accounts to scan 
it's customers? If I were doing the scanning, I'd
ensure the scanning box was called something like 'openrelayscan.bt.com' 
ergo something easily identifiable and verifiable.

To compound matters the ISP response has been vague.

MailServer Logs (BST)

03/10/2003 15:38:31-0X0758-SMTP: Incoming connection detected.. 03/10/2003
15:38:31-0X0758-SMTP: 03/10/2003 15:38:31-Spawning server thread 
for socket [240]..
03/10/2003 15:38:31-0X06F0-SMTP: Remote IP = 217.32.108.165.. 03/10/2003
15:38:31-0X06F0-RBL: IP testing for [217.32.108.165] 03/10/2003
15:38:31-0X06F0-RBL: Testing 165.108.32.217.sbl.spamhaus.org 03/10/2003
15:38:31-0X06F0-RBL: DUL Testing 165.108.32.217.list.dsbl.org 03/10/2003
15:38:32-0X06F0-SMTP: Sending 'service ready' to receiver on 
socket [240]..
03/10/2003 15:38:32-0X06F0-SMTP: (State=1) on socket [240] Got HELO x.x
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse () bt com against

black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse
03/10/2003 15:38:32-0X06F0-SMTP: Address [<bt.abuse>] is not a valid email 
address..
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse@x.x.x.x
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse@x.x.x.x 
against black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse@[x.x.x.x]
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse@[x.x.x.x] 
against black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:postmaster
03/10/2003 15:38:32-0X06F0-SMTP: Address [<postmaster>] is not a valid email

address..
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:<>
03/10/2003 15:38:32-0X06F0-SMTP: Bypassing UBE test.. 03/10/2003
15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got QUIT
03/10/2003 15:38:32-0X06F0-SMTP: Closing connection on socket [240]..
03/10/2003 15:38:32-0X06F0-SMTP: Exiting thread for socket [240]..

Firewall Logs (BST)
_____________

2003/04/11 15:51:18 217.32.108.165:41020 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/12 01:12:53 217.32.108.165:41035 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/12 12:15:06 217.32.108.165:41020 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/12 23:06:15 217.32.108.165:61585 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 15:43:45 217.32.108.165:38238 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 15:56:26 217.32.108.165:62965 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 18:26:56 217.32.108.165:61585 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 23:01:11 217.32.108.165:50834 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/14 15:47:40 217.32.108.165:52725 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/14 01:28:47 217.32.108.165:62965 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/15 00:46:48 217.32.108.165:63777 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/15 15:52:49 217.32.108.165:65081 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/15 23:52:46 217.32.108.165:52627 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 00:00:14 217.32.108.165:65081 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 13:23:45 217.32.108.165:52627 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 15:49:18 217.32.108.165:51404 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 16:52:38 193.113.209.14:51476 (radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 16:54:23 193.113.209.14:51476 (radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 16:55:23 193.113.209.14:51476 (radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 23:05:48 217.32.108.165:51612 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------



----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------


Current thread: