Some stats and notes on relay attempts for our external mail gateway

October 31, 2012

After discovering something attempting some open relay checks, I got curious about whether this was a one-off or if there were clear signs of other open relay checks. To give you a spoiler, the answer is that I can't completely tell because there is a bunch of noise in my data (and on top of that I'm not sure how to analyze it), but it seems possible.

What I can easily get from Exim's logs is triples of IP address, MAIL FROM, and RCPT TO for rejected relay attempts. I have no good way to reconstruct these into sessions, so it's easy to tell someone connecting five times and making a single relay attempt each time apart from someone connecting once and trying a whole series of RCPT TOs.

(I admit that somewhere around here it becomes very tempting to pour all of this data into SQLite and start doing ad hoc queries, because I could really use some GROUP BY clauses right now.)

My raw data covers about 90 days of logs and has 18,290 such triples. These relay attempts come from 1880 different source IPs; out of these, 540 IPs only occur once (so they connected, did a MAIL FROM and a RCPT TO, got a failure, and gave up). Almost all of the origin/destination address pairs are unique (the big exception is and its Yahoo destination), but there is a little bit of duplication in RCPT TO addresses (and almost none in MAIL FROMs). At a minimum there appears to be some well-written spam software that immediately gives up if it gets a relaying denied message, rather than try multiple RCPT TOs.

The most active source IPs used multiple MAIL FROMs. For example, the single most active source IP used 23 different MAIL FROMs, almost all of them with multiple RCPT TOs. This I take to be genuine attempts to use us as a relay without particularly noticing (or caring) that none of them work. A few IP addresses tried repeatedly to forge valid local addresses as the MAIL FROMs on their relay attempts, perhaps in an attempt to increase the odds that we'd allow them through; the addresses were all administrative ones like root, info, admin, and so on. It's possible that these were relay probes, because they all seem to have had RCPT TOs of the same addresses (eg, one IP would try a whole bunch of different local MAIL FROMs, all RCPT TO'ing the same remote address). A few people tried the null sender as a MAIL FROM.

(From previous stats I know that spammers forge a lot of bad local usernames on their MAIL FROMs, although that may not be for relay attempts.)

The top destination domains are mostly Asian. Counting only unique would-be recipients (of which there were 17500), the top five domains are:


There were 3104 unique senders and their top five origin domains look sort of similar, but much more evenly distributed:


I think that this is as much random bits and pieces as I want to throw out right now. Part of my problem is that I'm not sure what useful or interesting statistics I can generate from this data, although it feels like there should be something interesting there.

Written on 31 October 2012.
« How I am doing randomized read IO to avoid ZFS prefetching
Our DTrace scripts for NFS server, ZFS, and iSCSI initiator monitoring »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Oct 31 01:15:43 2012
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.