Scanning for better or worse may look suspicious... I would raise the issue with BT and ... then ip route host x.x.x.x Null0 on the edge router... No more processing/logging on the firewall or IDS... Paul > -----Original Message----- > From: Rob Shein [mailto:shotenat_private] > Sent: Tuesday, April 22, 2003 6:51 AM > To: 'Hoof Hearted'; incidentsat_private > Subject: RE: SMTP Scans > > > The question that first comes to mind is, are you sure this > is BT-sponsored activity? What has the ISP response been, > and in what way was it vague? The few later connect attempts > from what should be a RADIUS server are kind of odd for an > open relay scan. Also, is the abuse email address for BT > actually bt.abuseat_private, or is it just abuseat_private? It > could be someone with a cheesy police uniform rattling doors, > hoping that nobody recognizes his true intent... > > -----Original Message----- > From: Hoof Hearted [mailto:capbligh2001at_private] > Sent: Sunday, April 20, 2003 7:07 AM > To: incidentsat_private > Subject: Re: SMTP Scans > > > Hi All, > > Firstly, thanks to the Moderator for bouncing the 1st draft > of this :-) my > thoughts and comments after being woken for the 3rd > night in a row with my IDS going off produced more vitriol > than coherence > and were, on reflection, best not posted. Hopefully this > draft is more > informative. > > I'd appreciate any thoughts from list subscribers on the following: > > For the last few months our ISP (BT) has apparently been > scanning our mail > servers for open relays, this is happening up to > 12 times a day across both Primary & Secondary mail servers. > > My concerns are twofold; firstly, that I see no good reason > to run the scans > > so frequently; and secondly, by > nominating the postmaster account and attempting to gain > access to it (to my > > mind) it goes from a relay scan > (something I find marginally acceptable) to an attempted hack > (something I > definitely do NOT find acceptable). > > To attempt an analogy, I view this a similar to a Policeman > rattling doors. > I'm sure few would object to any Policeman checking to > see if doors are locked, however, there's a big difference > between 'rattling > > doors' and 'attempting to gain entry'. > > It may well be that the scans are entirely innocent, the > problem is that > they look decidedly suspicious in the logs. > For example, why would an ISP like BT use one of it's ADSL > accounts to scan > it's customers? If I were doing the scanning, I'd > ensure the scanning box was called something like > 'openrelayscan.bt.com' > ergo something easily identifiable and verifiable. > > To compound matters the ISP response has been vague. > > MailServer Logs (BST) > > 03/10/2003 15:38:31-0X0758-SMTP: Incoming connection > detected.. 03/10/2003 > 15:38:31-0X0758-SMTP: 03/10/2003 15:38:31-Spawning server thread > for socket [240].. > 03/10/2003 15:38:31-0X06F0-SMTP: Remote IP = 217.32.108.165.. > 03/10/2003 > 15:38:31-0X06F0-RBL: IP testing for [217.32.108.165] 03/10/2003 > 15:38:31-0X06F0-RBL: Testing 165.108.32.217.sbl.spamhaus.org > 03/10/2003 > 15:38:31-0X06F0-RBL: DUL Testing 165.108.32.217.list.dsbl.org > 03/10/2003 > 15:38:32-0X06F0-SMTP: Sending 'service ready' to receiver on > socket [240].. > 03/10/2003 15:38:32-0X06F0-SMTP: (State=1) on socket [240] > Got HELO x.x 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on > socket [240] Got MAIL > FROM:bt.abuseat_private > 03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender > bt.abuseat_private against > > black list d:\ezmts\blacklist.txt.. > 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT > TO:bt.abuseat_private > 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] > 550 user rejected > > response sent to <bt.abuseat_private> > 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] > Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket > [240] Got MAIL > FROM:bt.abuse > 03/10/2003 15:38:32-0X06F0-SMTP: Address [<bt.abuse>] is not > a valid email > address.. > 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] > Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket > [240] Got MAIL > FROM:bt.abuseat_private > 03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender bt.abuseat_private > against black list d:\ezmts\blacklist.txt.. > 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT > TO:bt.abuseat_private > 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] > 550 user rejected > > response sent to <bt.abuseat_private> > 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] > Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket > [240] Got MAIL > FROM:bt.abuse@[x.x.x.x] > 03/10/2003 15:38:32-0X06F0-SMTP: Testing mail sender > bt.abuse@[x.x.x.x] > against black list d:\ezmts\blacklist.txt.. > 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT > TO:bt.abuseat_private > 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] > 550 user rejected > > response sent to <bt.abuseat_private> > 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] > Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket > [240] Got MAIL > FROM:postmaster > 03/10/2003 15:38:32-0X06F0-SMTP: Address [<postmaster>] is > not a valid email > > address.. > 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] > Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket > [240] Got MAIL FROM:<> 03/10/2003 15:38:32-0X06F0-SMTP: > Bypassing UBE test.. 03/10/2003 > 15:38:32-0X06F0-SMTP: (State=3) on socket [240] Got RCPT > TO:bt.abuseat_private > 03/10/2003 15:38:32-0X06F0-SMTP: (State=3) on socket [240] > 550 user rejected > > response sent to <bt.abuseat_private> > 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket [240] > Got RSET 03/10/2003 15:38:32-0X06F0-SMTP: (State=2) on socket > [240] Got QUIT 03/10/2003 15:38:32-0X06F0-SMTP: Closing > connection on socket [240].. 03/10/2003 15:38:32-0X06F0-SMTP: > Exiting thread for socket [240].. > > Firewall Logs (BST) > _____________ > > 2003/04/11 15:51:18 217.32.108.165:41020 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/12 01:12:53 217.32.108.165:41035 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/12 12:15:06 217.32.108.165:41020 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/12 23:06:15 217.32.108.165:61585 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/13 15:43:45 217.32.108.165:38238 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/13 15:56:26 217.32.108.165:62965 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/13 18:26:56 217.32.108.165:61585 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/13 23:01:11 217.32.108.165:50834 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/14 15:47:40 217.32.108.165:52725 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/14 01:28:47 217.32.108.165:62965 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/15 00:46:48 217.32.108.165:63777 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/15 15:52:49 217.32.108.165:65081 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/15 23:52:46 217.32.108.165:52627 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/16 00:00:14 217.32.108.165:65081 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/16 13:23:45 217.32.108.165:52627 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/16 15:49:18 217.32.108.165:51404 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > 2003/04/16 16:52:38 193.113.209.14:51476 > (radius.btconnect.com) Simple Mail > Transfer (SMTP) BLOCKED > 2003/04/16 16:54:23 193.113.209.14:51476 > (radius.btconnect.com) Simple Mail > Transfer (SMTP) BLOCKED > 2003/04/16 16:55:23 193.113.209.14:51476 > (radius.btconnect.com) Simple Mail > Transfer (SMTP) BLOCKED > 2003/04/16 23:05:48 217.32.108.165:51612 > (host217-32-108-165.in-addr.btopenworld.com) Simple Mail > Transfer (SMTP) > BLOCKED > > _________________________________________________________________ > The new MSN 8: advanced junk mail protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail > > > -------------------------------------------------------------- > -------------- > Attend Black Hat Briefings & Training Europe, May 12-15 in > Amsterdam, the > world's premier event for IT and network security experts. > The two-day > Training features 6 hand-on courses on May 12-13 taught by > professionals. > The two-day Briefings on May 14-15 features 24 top speakers > with no vendor > sales pitches. Deadline for the best rates is April 25. > Register today to > ensure your place. http://www.securityfocus.com/BlackHat-incidents > -------------------------------------------------------------- > -------------- > > > > -------------------------------------------------------------- > -------------- > Attend Black Hat Briefings & Training Europe, May 12-15 in > Amsterdam, the > world's premier event for IT and network security experts. > The two-day > Training features 6 hand-on courses on May 12-13 taught by > professionals. > The two-day Briefings on May 14-15 features 24 top speakers > with no vendor > sales pitches. Deadline for the best rates is April 25. > Register today to > ensure your place. http://www.securityfocus.com/BlackHat-incidents > -------------------------------------------------------------- > -------------- > ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 28 2003 - 10:02:54 PDT