Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Open Relay testing

0 views
Skip to first unread message

Simon Waters

unread,
Nov 24, 2003, 7:36:10 PM11/24/03
to
Malcolm S. Muir wrote:
>
> ISPs continue to have a part to play in ensuring that their
> customers are not running vulnerable systems.

Will any more details be forthcoming?

Looking at some other email servers we see a lot of activity from
probably compromised Windows boxes (of all types).

Specifically some have port 707 open (Trojan?), and some have port 5000
(Presumably the XP Universal plug and play weakness has been exploited),
and some fit neither description. Without dissecting the boxes in
question it is impossible to say if these are all compromised, or just
poorly configured spam boxes, but it smells like an infection to me.

The attack is the more conventional dictionary attack, within a few
seconds of restarting the mail server I see 50 or 60 incoming sessions,
mainly from cable or DSL accounts. Each apparently generating random
usernames for various domains.

So far nothing from Demon accounts, athough one or two spam with faked
Demon sender addresses.

My suspicions is that it may be necessary to tell people if their
machine is even likely to be compromisable. We may be near the point
where running a vulnerability scanner like Nessus over each client once
in a while is not excessive.

Anyone seen any examples of Code Red opening up the guest account on
Exchange, as suggested by Greenspan?

It isn't a major problem yet performance wise, but it could become one.

0 new messages