Re: SMTP Scans

From: Kurt Seifried (btat_private)
Date: Thu Apr 24 2003 - 12:43:20 PDT

Next message: Patrick Nolan: "Re: Trojan found..."

Previous message: aladin168: "Re: IP Spoofs in the log - not sure what to do next"
In reply to: Jimi Thompson: "RE: SMTP Scans"
Next in thread: Luc Somers: "RE: SMTP Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >>For the last few months our ISP (BT) has apparently been scanning our
> >>mail  servers for open relays, this is happening up to
> >>12 times a day across both Primary & Secondary mail servers.
> >
> >I don't condone this, but this is fairly common practice amongst UK ISPs.
> >
> >Regards,
> >
> >
> >Mally Mclane
> >RIPE NCC - Operations
>
> Why the aggressive schedule?  For your "commercial" (as in - not end
> user) IP space, I would think that weekly or monthly should be
> sufficient.  Especailly considering that, as your ISP, they know the
> IP addresses of your mail servers, I find this to be excessive and
> would really like to know what they think they are combating.  It
> sounds like another bean counter making technical decisions again.

Daily scans = up to 24 hours of spam email. Weekly scans = up to 168 hours
of spam email. Scans every 2 hours = a LOT less spam email sent through an
open relay. We're talking broadband here, a lot of email can be sent if the
server is pumping it flat out for a day or a week or a month. Remember that
the threat model here mostly consists of customers setting up a new server
as an open relay, or accidently configuring an existing system as an open
relay (witness the thread on upgrading exchange and opening up relaying).

Or to put it this way: why do you think earthlink, aol and a LOT of spam
packages label email from cablemodem, dsl and other broadband network blocks
as spam? Hint: it has to do with all the spam coming from them.

Kurt Seifried, kurtat_private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/





----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Next message: Patrick Nolan: "Re: Trojan found..."
Previous message: aladin168: "Re: IP Spoofs in the log - not sure what to do next"
In reply to: Jimi Thompson: "RE: SMTP Scans"
Next in thread: Luc Somers: "RE: SMTP Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 25 2003 - 11:38:58 PDT