[lug] Relay attacks

[Bear Giles]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Nagler wrote:
| Every day, the same people try to relay via my machines:
| >
| Don't they ever give up?  They seem to hit all machines with open SMTP
| ports.

You got it.  They are scanning the entire IP address space and
exploiting any open relay they find.  A while back I was joe-jobbed and
spoke to a fair number of sites because, *cough*, I was not amused that
they were sending out criminally fradulent email using my company's
domain.  That's not just spam, that's criminal impersonation and I made
myself enough of a pain that the matter was at least investigated by the
skeptical IT departments (when they existed).

Most sites were clueless MS Exchange users.  Often hosted by Qworst.
(N.B., that's BY Qworst, not AT Qworst.  I guess they laid off all of
the  competent techies so Nacchio could make an extra million or two on
his bonuses.)

But some open relays were owned by companies with a compelling business
reason to take security seriously.  They flat-out denied that they could
~ have an open relay, then sheepishly admitted that they had one.  They
never bothered to scan their own network for unauthorized SMTP servers,
but the spammers found it.

In at least one case we found an open relay on a Cisco(?) router(?).
Definitely not a Wintel box.  Again, the owner was security-conscious
but never bothered to do a port scan on his own network.

BTW, I searched for the same messages in my own logs, and found a number
of copies sent by other companies.  All were "dead" - companies that had
~ folded, or merged years ago.  In other words, domains unlikely to have
anyone monitoring bounce messages.  They didn't realize that my domain
is active, but I've never bothered to set up a public web server for it
since I'm primarily interested in email.

| It's not really a big deal, but I'm a paranoid sort.  There
| must be millions of open SMTP ports on the Internet.  They can't pick
| them all everyday, can they?

If you were looking at million-dollar fines or even hard time in federal
prison for the stuff you sent out, wouldn't you consider the effort
required to scan large chunks of the internet for open relays to cover
your tracks well worth it?

That's not an exaggeration - I'm sure I'm not the only person who got a
bunch of spam on cheap insurance.  In some cases you *can* get cheap
insurance from them since they've cut unnecessary costs, e.g., any and
all claims, or even keeping the same address or phone number for more
than a few weeks.  By the time you learn this, it's too late to replace
your existing insurance.

Likewise, I suspect that many of these "approved credit card" and
"low-rate mortgage" offers are actually fronts for identity theft.

This is an area where us old-timers are at a disadvantage to the
newbies.  I suspect most of us still think of spam as mostly a
small-time operation, like that total loser who is whining that he got
hit with a $100k judgement in Washington State when he only made
$600-odd dollars after sending out millions of messages on how to get
rich via spam.  But there are some nasty players moving in who are
motivated by real money... and our ignorance of ancient scams dressed up
in new eSheep's clothing.

Bear
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9s3l4mr0uXf8FxOURAjzKAJ4p5MJrgH4FiQW+v4rLJ4POMKR63QCfcbty
VZ46o9+X1fBtozIeBkFep1I=
=WuqR
-----END PGP SIGNATURE-----