Wandering Thoughts archives

2012-10-31

CSLabRelayBits-2012-10-30

Some stats and notes on relay attempts for our external mail gateway

After discovering something attempting some open relay checks, I got curious about whether this was a one-off or if there were clear signs of other open relay checks. To give you a spoiler, the answer is that I can't completely tell because there is a bunch of noise in my data (and on top of that I'm not sure how to analyze it), but it seems possible.

What I can easily get from Exim's logs is triples of IP address, MAIL FROM, and RCPT TO for rejected relay attempts. I have no good way to reconstruct these into sessions, so it's easy to tell someone connecting five times and making a single relay attempt each time apart from someone connecting once and trying a whole series of RCPT TOs.

(I admit that somewhere around here it becomes very tempting to pour all of this data into SQLite and start doing ad hoc queries, because I could really use some GROUP BY clauses right now.)

My raw data covers about 90 days of logs and has 18,290 such triples. These relay attempts come from 1880 different source IPs; out of these, 540 IPs only occur once (so they connected, did a MAIL FROM and a RCPT TO, got a failure, and gave up). Almost all of the origin/destination address pairs are unique (the big exception is test@live.com and its Yahoo destination), but there is a little bit of duplication in RCPT TO addresses (and almost none in MAIL FROMs). At a minimum there appears to be some well-written spam software that immediately gives up if it gets a relaying denied message, rather than try multiple RCPT TOs.

The most active source IPs used multiple MAIL FROMs. For example, the single most active source IP used 23 different MAIL FROMs, almost all of them with multiple RCPT TOs. This I take to be genuine attempts to use us as a relay without particularly noticing (or caring) that none of them work. A few IP addresses tried repeatedly to forge valid local addresses as the MAIL FROMs on their relay attempts, perhaps in an attempt to increase the odds that we'd allow them through; the addresses were all administrative ones like root, info, admin, and so on. It's possible that these were relay probes, because they all seem to have had RCPT TOs of the same addresses (eg, one IP would try a whole bunch of different local MAIL FROMs, all RCPT TO'ing the same remote address). A few people tried the null sender as a MAIL FROM.

(From previous stats I know that spammers forge a lot of bad local usernames on their MAIL FROMs, although that may not be for relay attempts.)

The top destination domains are mostly Asian. Counting only unique would-be recipients (of which there were 17500), the top five domains are:

1806 yahoo.co.jp
1435 hanta.co.kr
395 yahoo.com.tw
271 gmail.com
264 ezweb.ne.jp

There were 3104 unique senders and their top five origin domains look sort of similar, but much more evenly distributed:

255 yahoo.co.jp
202 yahoo.com
160 ezweb.ne.jp
158 hotmail.com
155 docomo.ne.jp

I think that this is as much random bits and pieces as I want to throw out right now. Part of my problem is that I'm not sure what useful or interesting statistics I can generate from this data, although it feels like there should be something interesting there.

(2 comments.)
CSLabRelayBits-2012-10-30 written at 01:15:43; Add Comment

2012-10-28

OpenRelayChecks

Some unusual SMTP activity from would-be spammers

For reasons beyond the scope of this entry, on some systems I watch SMTP logs in fair detail. One result of this is that every so often I see a burst of unusual SMTP activity (for example). Recently I saw a bunch of SMTP attempts over two days that looked like this:

24934#  remote from [165.228.246.237]
24934r  EHLO [192.168.2.33]
24934w  550 Unknown command 'EHLO'
24934r  MAIL FROM: <test@live.com>
24934w  503 Waiting for HELO command
24934r  QUIT

They came from a wide variety of sources but all did this identical sequence of commands (and all used the same EHLO greeting). One of the interesting things about this is that whatever is behind this shows some awareness of SMTP and is not just blindly sending commands; it notices that the MAIL FROM fails and QUITs, although it's not willing to try a HELO after the EHLO fails.

(Yes, I'm still running a SMTP server so old that it doesn't understand EHLO. This has interesting consequences sometimes.)

What's going on might have stayed a mystery but for another system here, which has less complete logs but accepts EHLO commands. Over the same two day period, its logs show a burst of attempts to relay from test@live.com to a Yahoo email address, all with this same EHLO. The obvious conclusion is that someone has fired up some large-scale software to look for open relays (relatively crude software at that, especially since it repeatedly probed the same machines).

(I don't think that this was an attempt to use us as an open relay; those usually try sending to a whole bunch of different remote addresses.)

All of this makes me wonder how many open relays there still are out there in the world. My impression used to be that open relays had gone away years ago, but perhaps it's just that the noise of spam from open relays was drowned out by the noise of spam from other sources. After all, the Internet is no longer a place where most of the machines on it are servers.

(One comment.)
OpenRelayChecks written at 01:22:37; Add Comment

(Previous month | Next month)
By day for October 2012: 28 31; before October; after October.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.