Re: Email Relay Searches

From: Allen Smith (easmithat_private)
Date: Fri Mar 29 2002 - 21:21:58 PST

Next message: ipfwat_private: "Re: strange UDP 5400 traffic"

Previous message: Joe Warner: "I think I've been hacked...please help!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 29,  6:56pm, Pat Moffitt wrote:
> I have been seeing a few of these and find them, well, interesting.
> 
> 2002-03-29 00:14:18 refused relay (host) to <mattkellat_private> from
> <mattkelat_private> H=(12.144.138.34) [12.254.177.131]
> 
> If you check you will find that 002645587623.com does exist. They are
> sending out email trying to relay through other servers and the hello has
> the server's address in it.  So all they have to do is log all the
> H=(xx.xx.xx.xx)'s and they have a list of open mail relay servers.

Well, the first thing to do is to check whether this might be a legitimate
relay-testing service (e.g., something like http://www.ordb.org, with the
motivation being enabling people to block email from open relays); I doubt
it, since I've certainly never heard of them. A whois check (see
http://www.samspade.org for one convenient means of doing this) reveals that 
the registrant is "Matt Kelly", and a search for this name in
news.admin.net-abuse.* reveals
http://groups.google.com/groups?q=Matt+Kelly+group:news.admin.net-abuse.*&hl=en&scoring=r&selm=3C9FE994.B830F441%40ids.net&rnum=4
and the info that, no, this isn't legitimate, it appears to be a spammer.

> Anything we can do about these?

Well, since this is going through AT&T, according to the IP address
(translates to 12-254-177-131.client.attbi.com), complaining to them
(abuseat_private) would be a start. Complaining to venturesonline.com (who
hosts 00264587623.com) might also help, except that from the evidence
locatable via news.admin.net-abuse.*, they appear not to care about spamming
et al (I might mention that venturesonline.com blocks are listed on multiple
blacklists, including SPEWS (see http://www.spews.org)), so going to their
upstream, bbnplanet.net, might help - abuseat_private

	-Allen

-- 
Allen Smith			http://cesario.rutgers.edu/easmith/
September 11, 2001		A Day That Shall Live In Infamy II
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: ipfwat_private: "Re: strange UDP 5400 traffic"
Previous message: Joe Warner: "I think I've been hacked...please help!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 21:52:07 PST