Security Incidents mailing list archives
Re: SMTP Scans
From: "Kurt Seifried" <bt () seifried org>
Date: Thu, 24 Apr 2003 12:43:20 -0700
For the last few months our ISP (BT) has apparently been scanning our mail servers for open relays, this is happening up to 12 times a day across both Primary & Secondary mail servers.I don't condone this, but this is fairly common practice amongst UK ISPs. Regards, Mally Mclane RIPE NCC - OperationsWhy the aggressive schedule? For your "commercial" (as in - not end user) IP space, I would think that weekly or monthly should be sufficient. Especailly considering that, as your ISP, they know the IP addresses of your mail servers, I find this to be excessive and would really like to know what they think they are combating. It sounds like another bean counter making technical decisions again.
Daily scans = up to 24 hours of spam email. Weekly scans = up to 168 hours of spam email. Scans every 2 hours = a LOT less spam email sent through an open relay. We're talking broadband here, a lot of email can be sent if the server is pumping it flat out for a day or a week or a month. Remember that the threat model here mostly consists of customers setting up a new server as an open relay, or accidently configuring an existing system as an open relay (witness the thread on upgrading exchange and opening up relaying). Or to put it this way: why do you think earthlink, aol and a LOT of spam packages label email from cablemodem, dsl and other broadband network blocks as spam? Hint: it has to do with all the spam coming from them. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Re: SMTP Scans Hoof Hearted (Apr 21)
- RE: SMTP Scans Rob Shein (Apr 22)
- RE: SMTP Scans Mally Mclane (Apr 22)
- RE: SMTP Scans Jimi Thompson (Apr 24)
- Re: SMTP Scans Kurt Seifried (Apr 25)
- RE: SMTP Scans Mally Mclane (Apr 22)
- RE: SMTP Scans paul (Apr 28)
- RE: SMTP Scans Rob Shein (Apr 22)
- <Possible follow-ups>
- RE: SMTP Scans Luc Somers (Apr 23)
- Re: SMTP Scans Hoof Hearted (Apr 28)
- Re: SMTP Scans Chris Boyd (Apr 29)