Re: SMTP Scans

["Hoof Hearted" <capbligh2001 () hotmail com>]

Hi All,

Firstly, thanks to the Moderator for bouncing the 1st draft of this :-) my 
thoughts and comments after being woken for the 3rd
night in a row with my IDS going off produced more vitriol than coherence 
and were, on reflection, best not posted. Hopefully this draft is more 
informative.

I'd appreciate any thoughts from list subscribers on the following:

For the last few months our ISP (BT) has apparently been scanning our mail 
servers for open relays, this is happening up to
12 times a day across both Primary & Secondary mail servers.

My concerns are twofold; firstly, that I see no good reason to run the scans 
so frequently; and secondly, by
nominating the postmaster account and attempting to gain access to it (to my 
mind) it goes from a relay scan
(something I find marginally acceptable) to an attempted hack (something I 
definitely do NOT find acceptable).

To attempt an analogy, I view this a similar to a Policeman rattling doors. 
I'm sure few would object to any Policeman checking to
see if doors are locked, however, there's a big difference between 'rattling 
doors' and 'attempting to gain entry'.

It may well be that the scans are entirely innocent, the problem is that 
they look decidedly suspicious in the logs.
For example, why would an ISP like BT use one of it's ADSL accounts to scan 
it's customers? If I were doing the scanning, I'd
ensure the scanning box was called something like 'openrelayscan.bt.com' 
ergo something easily identifiable and verifiable.

To compound matters the ISP response has been vague.

MailServer Logs (BST)

03/10/2003 15:38:31-0X0758-SMTP: Incoming connection detected..
03/10/2003 15:38:31-0X0758-SMTP: 03/10/2003 15:38:31-Spawning server thread 
for socket [240]..
03/10/2003 15:38:31-0X06F0-SMTP: Remote IP = 217.32.108.165..
03/10/2003 15:38:31-0X06F0-RBL: IP testing for [217.32.108.165]
03/10/2003 15:38:31-0X06F0-RBL: Testing 165.108.32.217.sbl.spamhaus.org
03/10/2003 15:38:31-0X06F0-RBL: DUL Testing 165.108.32.217.list.dsbl.org
03/10/2003 15:38:32-0X06F0-SMTP: Sending 'service ready' to receiver on 
socket [240]..
03/10/2003 15:38:32-0X06F0-SMTP: (State=1) on socket [240] Got HELO x.x
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse () bt com against 
black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected 
response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse
03/10/2003 15:38:32-0X06F0-SMTP: Address [<bt.abuse>] is not a valid email 
address..
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse@x.x.x.x
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse@x.x.x.x 
against black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected 
response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:bt.abuse@[x.x.x.x]
03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse@[x.x.x.x] 
against black list d:\ezmts\blacklist.txt..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected 
response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL 
FROM:postmaster
03/10/2003 15:38:32-0X06F0-SMTP: Address [<postmaster>] is not a valid email 
address..
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:<>
03/10/2003 15:38:32-0X06F0-SMTP: Bypassing UBE test..
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT 
TO:bt.abuse () bt com
03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected 
response sent to <bt.abuse () bt com>
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET
03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got QUIT
03/10/2003 15:38:32-0X06F0-SMTP: Closing connection on socket [240]..
03/10/2003 15:38:32-0X06F0-SMTP: Exiting thread for socket [240]..

Firewall Logs (BST)
_____________

2003/04/11 15:51:18 217.32.108.165:41020 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/12 01:12:53 217.32.108.165:41035 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/12 12:15:06 217.32.108.165:41020 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/12 23:06:15 217.32.108.165:61585 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 15:43:45 217.32.108.165:38238 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 15:56:26 217.32.108.165:62965 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 18:26:56 217.32.108.165:61585 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/13 23:01:11 217.32.108.165:50834 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/14 15:47:40 217.32.108.165:52725 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/14 01:28:47 217.32.108.165:62965 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/15 00:46:48 217.32.108.165:63777 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/15 15:52:49 217.32.108.165:65081 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/15 23:52:46 217.32.108.165:52627 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 00:00:14 217.32.108.165:65081 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 13:23:45 217.32.108.165:52627 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 15:49:18 217.32.108.165:51404 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED
2003/04/16 16:52:38 193.113.209.14:51476 (radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 16:54:23 193.113.209.14:51476 (radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 16:55:23 193.113.209.14:51476 (radius.btconnect.com) Simple Mail 
Transfer (SMTP) BLOCKED
2003/04/16 23:05:48 217.32.108.165:51612 
(host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) 
BLOCKED

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------