Security Incidents mailing list archives

RE: SMTP Scans

From: <paul () doevil com>
Date: Sat, 26 Apr 2003 15:09:35 +0800

Scanning for better or worse may look suspicious... 

I would raise the issue with BT and ...

then ip route host x.x.x.x Null0 on the edge router... 

No more processing/logging on the firewall or IDS...

Paul

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: Tuesday, April 22, 2003 6:51 AM
To: 'Hoof Hearted'; incidents () securityfocus com
Subject: RE: SMTP Scans


The question that first comes to mind is, are you sure this
is BT-sponsored activity?  What has the ISP response been, 
and in what way was it vague? The few later connect attempts 
from what should be a RADIUS server are kind of odd for an 
open relay scan.  Also, is the abuse email address for BT 
actually bt.abuse () bt com, or is it just abuse () bt com?  It 
could be someone with a cheesy police uniform rattling doors, 
hoping that nobody recognizes his true intent... 

-----Original Message-----
From: Hoof Hearted [mailto:capbligh2001 () hotmail com]
Sent: Sunday, April 20, 2003 7:07 AM
To: incidents () securityfocus com
Subject: Re: SMTP Scans


Hi All,

Firstly, thanks to the Moderator for bouncing the 1st draft
of this :-) my 
thoughts and comments after being woken for the 3rd
night in a row with my IDS going off produced more vitriol 
than coherence 
and were, on reflection, best not posted. Hopefully this 
draft is more 
informative.

I'd appreciate any thoughts from list subscribers on the following:

For the last few months our ISP (BT) has apparently been
scanning our mail 
servers for open relays, this is happening up to
12 times a day across both Primary & Secondary mail servers.

My concerns are twofold; firstly, that I see no good reason
to run the scans

so frequently; and secondly, by
nominating the postmaster account and attempting to gain
access to it (to my

mind) it goes from a relay scan
(something I find marginally acceptable) to an attempted hack
(something I 
definitely do NOT find acceptable).

To attempt an analogy, I view this a similar to a Policeman
rattling doors. 
I'm sure few would object to any Policeman checking to
see if doors are locked, however, there's a big difference 
between 'rattling

doors' and 'attempting to gain entry'.

It may well be that the scans are entirely innocent, the
problem is that 
they look decidedly suspicious in the logs.
For example, why would an ISP like BT use one of it's ADSL 
accounts to scan 
it's customers? If I were doing the scanning, I'd
ensure the scanning box was called something like 
'openrelayscan.bt.com' 
ergo something easily identifiable and verifiable.

To compound matters the ISP response has been vague.

MailServer Logs (BST)

03/10/2003 15:38:31-0X0758-SMTP: Incoming connection
detected.. 03/10/2003
15:38:31-0X0758-SMTP: 03/10/2003 15:38:31-Spawning server thread 
for socket [240]..
03/10/2003 15:38:31-0X06F0-SMTP: Remote IP = 217.32.108.165.. 
03/10/2003
15:38:31-0X06F0-RBL: IP testing for [217.32.108.165] 03/10/2003
15:38:31-0X06F0-RBL: Testing 165.108.32.217.sbl.spamhaus.org 
03/10/2003
15:38:31-0X06F0-RBL: DUL Testing 165.108.32.217.list.dsbl.org 
03/10/2003
15:38:32-0X06F0-SMTP: Sending 'service ready' to receiver on 
socket [240]..
03/10/2003 15:38:32-0X06F0-SMTP: (State=1) on socket [240] 
Got HELO x.x 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on 
socket [240] Got MAIL 
FROM:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender 
bt.abuse () bt com against

black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 
550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240]
Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket 
[240] Got MAIL 
FROM:bt.abuse
03/10/2003 15:38:32-0X06F0-SMTP: Address [<bt.abuse>] is not 
a valid email 
address..
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] 
Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket 
[240] Got MAIL 
FROM:bt.abuse@x.x.x.x
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse@x.x.x.x 
against black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 
550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240]
Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket 
[240] Got MAIL 
FROM:bt.abuse@[x.x.x.x]
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender 
bt.abuse@[x.x.x.x] 
against black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 
550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240]
Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket 
[240] Got MAIL 
FROM:postmaster
03/10/2003 15:38:32-0X06F0-SMTP: Address [<postmaster>] is 
not a valid email

address..
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240]
Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket 
[240] Got MAIL FROM:<> 03/10/2003 15:38:32-0X06F0-SMTP: 
Bypassing UBE test.. 03/10/2003
15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 
550 user rejected

response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240]
Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket 
[240] Got QUIT 03/10/2003 15:38:32-0X06F0-SMTP: Closing 
connection on socket [240].. 03/10/2003 15:38:32-0X06F0-SMTP: 
Exiting thread for socket [240]..

Firewall Logs (BST)
_____________

2003/04/11 15:51:18 217.32.108.165:41020
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/12 01:12:53 217.32.108.165:41035 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/12 12:15:06 217.32.108.165:41020 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/12 23:06:15 217.32.108.165:61585 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/13 15:43:45 217.32.108.165:38238 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/13 15:56:26 217.32.108.165:62965 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/13 18:26:56 217.32.108.165:61585 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/13 23:01:11 217.32.108.165:50834 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/14 15:47:40 217.32.108.165:52725 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/14 01:28:47 217.32.108.165:62965 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/15 00:46:48 217.32.108.165:63777 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/15 15:52:49 217.32.108.165:65081 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/15 23:52:46 217.32.108.165:52627 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/16 00:00:14 217.32.108.165:65081 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/16 13:23:45 217.32.108.165:52627 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/16 15:49:18 217.32.108.165:51404 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED
2003/04/16 16:52:38 193.113.209.14:51476 
(radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 16:54:23 193.113.209.14:51476 
(radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 16:55:23 193.113.209.14:51476 
(radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 23:05:48 217.32.108.165:51612 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail 
Transfer (SMTP) 
BLOCKED

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail


--------------------------------------------------------------
--------------
Attend Black Hat Briefings & Training Europe, May 12-15 in
Amsterdam, the 
world's premier event for IT and network security experts.  
The two-day 
Training features 6 hand-on courses on May 12-13 taught by 
professionals.  
The two-day Briefings on May 14-15 features 24 top speakers 
with no vendor 
sales pitches.  Deadline for the best rates is April 25.  
Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
--------------------------------------------------------------
--------------



--------------------------------------------------------------
--------------
Attend Black Hat Briefings & Training Europe, May 12-15 in
Amsterdam, the 
world's premier event for IT and network security experts.  
The two-day 
Training features 6 hand-on courses on May 12-13 taught by 
professionals.  
The two-day Briefings on May 14-15 features 24 top speakers 
with no vendor 
sales pitches.  Deadline for the best rates is April 25.  
Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
--------------------------------------------------------------
--------------





----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------

Current thread:

Re: SMTP Scans Hoof Hearted (Apr 21)
- RE: SMTP Scans Rob Shein (Apr 22)
  - RE: SMTP Scans Mally Mclane (Apr 22)
    - RE: SMTP Scans Jimi Thompson (Apr 24)
    - Re: SMTP Scans Kurt Seifried (Apr 25)
  - RE: SMTP Scans paul (Apr 28)
- <Possible follow-ups>
- RE: SMTP Scans Luc Somers (Apr 23)
- Re: SMTP Scans Hoof Hearted (Apr 28)
  - Re: SMTP Scans Chris Boyd (Apr 29)