On Thu, 16 Jun 2005, Tony Finch wrote: > On Wed, 15 Jun 2005, Dean Anderson wrote: > > > > What sort of mail volume to you handle? 2000-4000 attempts isn't a lot > > for large volume domain handling millions of messages per day. > > About 250K legit messages each day, and about a million junk messages. > Yes, it isn't a very large proportion of our total volume, but I would > expect that to change rapidly if the probes were successful. Yes, indeed. It will change if the probes are successful. But it is easy figure out who is doing the probes. Open relay probing requires an valid emailbox. So just queue up the probes, identify the blacklist (its usually something like relaytest@<blacklist>). In the rare case it is not plainly a blacklist, send in an abuse report on the destination emailbox. Another technique is to run non-production open relays, let them be scannned, and see what blacklists the relays turn up on, and then start blocking (and reporting) any IPs that try to connect to the non-production relays. Anti-spammers also scan the /24 around any known open relay before abuse. This behavior started shortly after I reported that I could identify abuse with the specific blacklist that was promoting the abuse. I did this by adding different non-production relays to different blacklists, and then tracking the IPs and spams that came through. After that, they started to scan the /24 immediately before abuse to obscure which blacklist was doing the abuse. If you have enough address space, you can still conduct the tests with each relay on a different /24. After that, they started claiming that 130.105/16 was stolen. > > You said it is more prevalent on hosts named mail or smtp---one would at > > minumum need a list of domains to search. Where do you suppose they > > obtained this list? > > Where do you suppose they get lists of email addresses to send spam to? That's not the same thing. Most of those lists have AOL and MSN and the top 50 or 100 or so domains. I have the spam email lists, too. The email addresses show up in my logs and the block email messages' envelope recipient lines [RP.*FD in sendmail]. That doesn't give them enough to find very many open relays by simply adding mail or smtp to the domain names from a list of email addresses. Open relay abuse just doesn't scale. Too much searching, too few relays. > > Who is doing this searching? Internal viruses? > > The probes are external, and appear to be mostly from compromised home > computers. Our network is reasonably well managed and infections are > quashed promptly. > > > What sort of commercial companies are abusing your open relays? > > You misunderstand: We don't operate open relays, but despite your claims > about the rareness of open relay abuse, our email servers are frequently > probed with open relay attacks. I believe you are depending on security > through obscurity to avoid attack. One of our main outgoing relay services > has an obscure name (ppsw.cam.ac.uk) and is probed 100 times less > frequently than our MXs or our MSA service named smtp.hermes.cam.ac.uk. Well, script kiddies may do many odd things. Further, if you aren't running open relays, how do you know for certain that it's not just misconfigured clients? "Relaying denied" is a frequent problem experienced by real customers who aren't spammers. Adding mail or smtp to a domain is probably something your legitimate users are doing, trying to figure out how to relay remotely. Very likely, this represents the number of legitimate mails your users would like to 'open relay.' > > You also haven't shown that the abusers would be prevented from emailing > > if open relays were closed. > > That's irrelevant: it's still my responsibility not to abet them. I'm not "abetting" them. They send email no matter what. They didn't get anything they don't already have. And in practice, its the anti-spammers who are abusing open relays (to teach us a lesson), not real bulk commercial emailers. -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf