The question that first comes to mind is, are you sure this is BT-sponsored activity? What has the ISP response been, and in what way was it vague? The few later connect attempts from what should be a RADIUS server are kind of odd for an open relay scan. Also, is the abuse email address for BT actually bt.abuseat_private, or is it just abuseat_private? It could be someone with a cheesy police uniform rattling doors, hoping that nobody recognizes his true intent... -----Original Message----- From: Hoof Hearted [mailto:capbligh2001at_private] Sent: Sunday, April 20, 2003 7:07 AM To: incidentsat_private Subject: Re: SMTP Scans Hi All, Firstly, thanks to the Moderator for bouncing the 1st draft of this :-) my thoughts and comments after being woken for the 3rd night in a row with my IDS going off produced more vitriol than coherence and were, on reflection, best not posted. Hopefully this draft is more informative. I'd appreciate any thoughts from list subscribers on the following: For the last few months our ISP (BT) has apparently been scanning our mail servers for open relays, this is happening up to 12 times a day across both Primary & Secondary mail servers. My concerns are twofold; firstly, that I see no good reason to run the scans so frequently; and secondly, by nominating the postmaster account and attempting to gain access to it (to my mind) it goes from a relay scan (something I find marginally acceptable) to an attempted hack (something I definitely do NOT find acceptable). To attempt an analogy, I view this a similar to a Policeman rattling doors. I'm sure few would object to any Policeman checking to see if doors are locked, however, there's a big difference between 'rattling doors' and 'attempting to gain entry'. It may well be that the scans are entirely innocent, the problem is that they look decidedly suspicious in the logs. For example, why would an ISP like BT use one of it's ADSL accounts to scan it's customers? If I were doing the scanning, I'd ensure the scanning box was called something like 'openrelayscan.bt.com' ergo something easily identifiable and verifiable. To compound matters the ISP response has been vague. MailServer Logs (BST) 03/10/2003 15:38:31-0X0758-SMTP: Incoming connection detected.. 03/10/2003 15:38:31-0X0758-SMTP: 03/10/2003 15:38:31-Spawning server thread for socket [240].. 03/10/2003 15:38:31-0X06F0-SMTP: Remote IP = 217.32.108.165.. 03/10/2003 15:38:31-0X06F0-RBL: IP testing for [217.32.108.165] 03/10/2003 15:38:31-0X06F0-RBL: Testing 165.108.32.217.sbl.spamhaus.org 03/10/2003 15:38:31-0X06F0-RBL: DUL Testing 165.108.32.217.list.dsbl.org 03/10/2003 15:38:32-0X06F0-SMTP: Sending 'service ready' to receiver on socket [240].. 03/10/2003 15:38:32-0X06F0-SMTP: (State=1) on socket [240] Got HELO x.x 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:bt.abuseat_private 03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuseat_private against black list d:\ezmts\blacklist.txt.. 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT TO:bt.abuseat_private 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected response sent to <bt.abuseat_private> 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:bt.abuse 03/10/2003 15:38:32-0X06F0-SMTP: Address [<bt.abuse>] is not a valid email address.. 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:bt.abuseat_private 03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuseat_private against black list d:\ezmts\blacklist.txt.. 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT TO:bt.abuseat_private 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected response sent to <bt.abuseat_private> 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:bt.abuse@[x.x.x.x] 03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuse@[x.x.x.x] against black list d:\ezmts\blacklist.txt.. 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT TO:bt.abuseat_private 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected response sent to <bt.abuseat_private> 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:postmaster 03/10/2003 15:38:32-0X06F0-SMTP: Address [<postmaster>] is not a valid email address.. 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got MAIL FROM:<> 03/10/2003 15:38:32-0X06F0-SMTP: Bypassing UBE test.. 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT TO:bt.abuseat_private 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] 550 user rejected response sent to <bt.abuseat_private> 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] Got QUIT 03/10/2003 15:38:32-0X06F0-SMTP: Closing connection on socket [240].. 03/10/2003 15:38:32-0X06F0-SMTP: Exiting thread for socket [240].. Firewall Logs (BST) _____________ 2003/04/11 15:51:18 217.32.108.165:41020 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/12 01:12:53 217.32.108.165:41035 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/12 12:15:06 217.32.108.165:41020 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/12 23:06:15 217.32.108.165:61585 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/13 15:43:45 217.32.108.165:38238 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/13 15:56:26 217.32.108.165:62965 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/13 18:26:56 217.32.108.165:61585 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/13 23:01:11 217.32.108.165:50834 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/14 15:47:40 217.32.108.165:52725 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/14 01:28:47 217.32.108.165:62965 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/15 00:46:48 217.32.108.165:63777 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/15 15:52:49 217.32.108.165:65081 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/15 23:52:46 217.32.108.165:52627 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/16 00:00:14 217.32.108.165:65081 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/16 13:23:45 217.32.108.165:52627 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/16 15:49:18 217.32.108.165:51404 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/16 16:52:38 193.113.209.14:51476 (radius.btconnect.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/16 16:54:23 193.113.209.14:51476 (radius.btconnect.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/16 16:55:23 193.113.209.14:51476 (radius.btconnect.com) Simple Mail Transfer (SMTP) BLOCKED 2003/04/16 23:05:48 217.32.108.165:51612 (host217-32-108-165.in-addr.btopenworld.com) Simple Mail Transfer (SMTP) BLOCKED _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 07:33:38 PDT