| My NNTP server's experience (so far) with mail-relay attempts | Spam Guy | 05/04/13 16:29 | So what brings me here today is to post (for all posterity) some stats
of what my SMTP server has been seeing as far as mail-relay attempts. Just for some background - my server has been in operation since approx 1998, handling mail for a small bio-science corporation with between 20 and 50 employees. Running "Post.office" made by the now defunct "software.com" on a win-NT4 box. I happened to look at some of the SMTP logs recently and I saw some entries that motivated me to do a more indepth analsis of the log files going back to day 1 of the server's operation. Here's what I found. On April 2 / 2012, there were 5,759 attempts over 43 minutes to use my server to relay mail to (rand-string) @ (my_ISP.com) from 124.12.90.118 (2.25 attempts per second), where "my_ISP" is the ISP that is used to connect $Dayjob to the internet. Between Oct 12/2012 and March 9/2013, 620 relay attempts were made from 87 different IP's to test @ live.com. Between March 22/2010 and March 17/2013, 18 relay attempts were made from 6 different IP's to smtp2001soho @ yahoo.com. Between May 27 / 2010 and March 12/2013, 16 relay attempts were made from 9 different IP's to spameri or spamery @ tiscali.it. Between October 12 / 2010 and Feb 17 / 2013, 19 relay attempts were made from 19 different IP's to various addresses at random (probably fake) domains - with the exception of one attempt to gmail.com and two attempts to hotmabox @ yahoo.com. So based on this analysis, it would appear that open-relay probing seems to have begun in some sort of organized or serious way starting in March 2010. I would be curious to know if others have that same experience. I must admit to being surprised that it wouldn't have started years earlier. So what I've done starting today is to configure my server so that it thinks it's authoritative for live.com and tiscali.it and in addition I've created accounts for "test", "spameri" and "spamery". This should enable me to see just what is being sent to those accounts during these probe attempts. None of our local users send e-mail to those domains, so that shouldn't interfere with legit mail. If I find anything interesting, I'll post them here. Something else that I'll be doing is adding the entire /16 net-blocks to my server's blocking list so that those IP's that try to relay mail will never again be able to make a connection to my server. |
| Re: My NNTP server's experience (so far) with mail-relay attempts | Bob Milutinovic | 05/04/13 22:30 | "Spam Guy" <Sp...@guy.com> wrote in message news:515F5E71.2333C4AF@guy.com...
I've seen such behaviour as far back as 2003; from what I could see the probing seems to happen in waves - they'll take turns at probing for a couple of weeks, then nothing for several months, then they start all over again (usually with different recipient addresses). I did that here too a couple of years ago, and the smtp20**so...@yahoo.com (** varies) spammer went gaga with additional attempts until he finally realised that _only_ relays to that address were "working." I also set forwarding up from my other spamtraps, to send all received spam to the receiving addresses of the probers, which eventually led to them changing their receiving addresses (used in probes) - but not before Yahoo imposed greylisting on messages from my mail server (gee, they like sending it but don't like receiving it?). Been doing that here too, but eventually the collection becomes a nightmare to administer, especially the blocks controlled by fly-by-night ISPs which seem to change hands more often than ShitStain changes socks. -- Bob Milutinovic Cognicom |