My NNTP server's experience (so far) with mail-relay attempts

Affichage de 12 messages sur 2
My NNTP server's experience (so far) with mail-relay attempts Spam Guy 05/04/13 16:29
So what brings me here today is to post (for all posterity) some stats
of what my SMTP server has been seeing as far as mail-relay attempts.

Just for some background - my server has been in operation since approx
1998, handling mail for a small bio-science corporation with between 20
and 50 employees.  Running "Post.office" made by the now defunct
"software.com" on a win-NT4 box.

I happened to look at some of the SMTP logs recently and I saw some
entries that motivated me to do a more indepth analsis of the log files
going back to day 1 of the server's operation.  Here's what I found.

On April 2 / 2012, there were 5,759 attempts over 43 minutes to use my
server to relay mail to (rand-string) @ (my_ISP.com) from 124.12.90.118
(2.25 attempts per second), where "my_ISP" is the ISP that is used to
connect $Dayjob to the internet.

Between Oct 12/2012 and March 9/2013, 620 relay attempts were made from
87 different IP's to test @ live.com.

Between March 22/2010 and March 17/2013, 18 relay attempts were made
from 6 different IP's to smtp2001soho @ yahoo.com.

Between May 27 / 2010 and March 12/2013, 16 relay attempts were made
from 9 different IP's to spameri or spamery @ tiscali.it.

Between October 12 / 2010 and Feb 17 / 2013, 19 relay attempts were made
from 19 different IP's to various addresses at random (probably fake)
domains - with the exception of one attempt to gmail.com and two
attempts to hotmabox @ yahoo.com.

So based on this analysis, it would appear that open-relay probing seems
to have begun in some sort of organized or serious way starting in March
2010.  I would be curious to know if others have that same experience.
I must admit to being surprised that it wouldn't have started years
earlier.

So what I've done starting today is to configure my server so that it
thinks it's authoritative for live.com and tiscali.it and in addition
I've created accounts for "test", "spameri" and "spamery".  This should
enable me to see just what is being sent to those accounts during these
probe attempts.  None of our local users send e-mail to those domains,
so that shouldn't interfere with legit mail.  If I find anything
interesting, I'll post them here.  

Something else that I'll be doing is adding the entire /16 net-blocks to
my server's blocking list so that those IP's that try to relay mail will
never again be able to make a connection to my server.
Re: My NNTP server's experience (so far) with mail-relay attempts Bob Milutinovic 05/04/13 22:30
"Spam Guy" <Sp...@guy.com> wrote in message news:515F5E71.2333C4AF@guy.com...
I've seen such behaviour as far back as 2003; from what I could see the
probing seems to happen in waves - they'll take turns at probing for a
couple of weeks, then nothing for several months, then they start all over
again (usually with different recipient addresses).

> So what I've done starting today is to configure my server so that it
> thinks it's authoritative for live.com and tiscali.it and in addition
> I've created accounts for "test", "spameri" and "spamery".  This should
> enable me to see just what is being sent to those accounts during these
> probe attempts.  None of our local users send e-mail to those domains,
> so that shouldn't interfere with legit mail.  If I find anything
> interesting, I'll post them here.

I did that here too a couple of years ago, and the smtp20**so...@yahoo.com
(** varies) spammer went gaga with additional attempts until he finally
realised that _only_ relays to that address were "working."

I also set forwarding up from my other spamtraps, to send all received spam
to the receiving addresses of the probers, which eventually led to them
changing their receiving addresses (used in probes) - but not before Yahoo
imposed greylisting on messages from my mail server (gee, they like sending
it but don't like receiving it?).

> Something else that I'll be doing is adding the entire /16 net-blocks to
> my server's blocking list so that those IP's that try to relay mail will
> never again be able to make a connection to my server.

Been doing that here too, but eventually the collection becomes a nightmare
to administer, especially the blocks controlled by fly-by-night ISPs which
seem to change hands more often than ShitStain changes socks.

--
Bob Milutinovic
Cognicom