Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email Relay Searches

From: "Allen Smith" <easmith () beatrice rutgers edu>
Date: Sat, 30 Mar 2002 00:21:58 -0500
On Mar 29,  6:56pm, Pat Moffitt wrote:

I have been seeing a few of these and find them, well, interesting.

2002-03-29 00:14:18 refused relay (host) to <mattkell () 00264587623 com> from
<mattkel () 00264587623 com> H=(12.144.138.34) [12.254.177.131]

If you check you will find that 002645587623.com does exist. They are
sending out email trying to relay through other servers and the hello has
the server's address in it.  So all they have to do is log all the
H=(xx.xx.xx.xx)'s and they have a list of open mail relay servers.


Well, the first thing to do is to check whether this might be a legitimate
relay-testing service (e.g., something like http://www.ordb.org, with the
motivation being enabling people to block email from open relays); I doubt
it, since I've certainly never heard of them. A whois check (see
http://www.samspade.org for one convenient means of doing this) reveals that 
the registrant is "Matt Kelly", and a search for this name in
news.admin.net-abuse.* reveals
http://groups.google.com/groups?q=Matt+Kelly+group:news.admin.net-abuse.*&hl=en&scoring=r&selm=3C9FE994.B830F441%40ids.net&rnum=4
and the info that, no, this isn't legitimate, it appears to be a spammer.


Anything we can do about these?


Well, since this is going through AT&T, according to the IP address
(translates to 12-254-177-131.client.attbi.com), complaining to them
(abuse () attbi com) would be a start. Complaining to venturesonline.com (who
hosts 00264587623.com) might also help, except that from the evidence
locatable via news.admin.net-abuse.*, they appear not to care about spamming
et al (I might mention that venturesonline.com blocks are listed on multiple
blacklists, including SPEWS (see http://www.spews.org)), so going to their
upstream, bbnplanet.net, might help - abuse () genuity net.

        -Allen

-- 
Allen Smith                     http://cesario.rutgers.edu/easmith/
September 11, 2001              A Day That Shall Live In Infamy II
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: