Open relays

Spamhaus wrote about the return of open relays yesterday. What they’re seeing today matches what I see: there is fairly consistent abuse of open relays to send spam. As spam problems go it’s not as serious as compromised machines or abuse-tolerant ESPs / ISPs/ freemail providers – either in terms of volume or user inbox experience – but it’s definitely part of the problem.
I’m not sure how much of a new problem it is, though.
Spammers scan the ‘net for mailservers and attempt to relay email through them back to email addresses they control. Any mail that’s delivered is a sign of an open relay. They typically put the IP address of the mailserver they connected to in the subject line of the email, making it easy for them to mechanically extract a list of open relays.
We run some honeypots that will accept and log any transaction, which looks just like an open relay to spammers other than not actually relaying any email. They let us see what’s going on. Here’s a fairly typical recent relay attempt:

MAIL FROM: <test@live.com>
RCPT TO: <therichsheickc@yahoo.com>
RCPT TO: <therichsheick1@yahoo.com>
RCPT TO: <therichsheick9@yahoo.com>
RCPT TO: <therichsheick2@yahoo.com>
RCPT TO: <therichsheick0@yahoo.com>
RCPT TO: <therichsheickb@yahoo.com>
RCPT TO: <therichsheick7@yahoo.com>
RCPT TO: <therichsheick13@yahoo.com>
RCPT TO: <therichsheick4@yahoo.com>
RCPT TO: <therichsheickf@yahoo.com>
RCPT TO: <therichsheick12@yahoo.com>
RCPT TO: <therichsheick5@yahoo.com>
RCPT TO: <therichsheicke@yahoo.com>
RCPT TO: <therichsheickd@yahoo.com>
RCPT TO: <therichsheicka@yahoo.com>
RCPT TO: <therichsheick10@yahoo.com>
RCPT TO: <therichsheick6@yahoo.com>
RCPT TO: <therichsheick3@yahoo.com>
RCPT TO: <therichsheick@yahoo.com>
RCPT TO: <therichsheick11@yahoo.com>
RCPT TO: <therichsheick8@yahoo.com>
DATA
From: <test@live.com>
Date: Sun, 1 Dez 2013 12:17:21 +0000
Subject: ip.ad.ddr.ess@pauletteOpen Relay
It’s 106 miles to Chicago, we got a full tank of gas, half a pack of cigarettes, it’s dark… and we’re wearing sunglasses.
.

This test came from an IP address apparently in the Amazon cloud, which isn’t unusual, but they also come from compromised machines or grubby little /28 allocations from all over the place.
You can see that they use multiple test destination addresses, so that even if they lose access to some they won’t lose the results of the relay test. In this case they’re using yahoo.com addresses, which isn’t at all unusual.
The same relay scanner has been using exactly that same set of yahoo.com email addresses unchanged for over a year, so it seems that their losing access to them isn’t a serious risk.
How new is this?

relay.numbers

 
We saw over 100,000 relay attempts in March 2010. The break in 2011 is when the machine running the honeypot moved providers. That the relay attempts didn’t increase back to previous levels is interesting; I’m guessing that some ranges of network space are more profitable to mine for open relays than others. This graph is a logarithmic scale, as otherwise the more recent volumes would be dwarfed by the older ones.
Lets just look at traffic since mid-2011, with a linear scale, instead. Broken down by week, rather than month too:

weekly.numbers

 
Well, something is certainly happening. But it’s a very spiky sort of traffic anyway, so short term changes don’t necessarily mean anything.
I’m not sure if there’s any trend or message to draw from this other than “Here, have some data.” and “Open relays are still an issue, and spammers are still actively looking for them.”

Related Posts

This month in email: September 2013

Looking back through the month of September there were a couple things talked about on the blog.

Read More

Yahoo and Spamhaus

Yahoo has updated and modified their postmaster pages. They have also put a lot of work into clarifying their response codes. The changes should help senders identify and troubleshoot problems without relying on individual help from Yahoo.
There is one major change that deserves its own discussion. Yahoo is now using the SBL, XBL and PBL to block connections from listed IP addresses. These are public blocklists run by Spamhaus. Each of them targets a different type of spam source.
The SBL is the blocklist that addresses fixed spam sources. To get listed on the SBL, a sender is sending email to people who have never requested it. Typically, this involves email sent to an address that has not opted in to the email. These addresses, known as spamtraps, are used as sentinel addresses. Any mail sent to them is, by definition, not opt-in. These addresses are never signed up to any email address lists by the person who owns the email address. Spamtraps can get onto a mailing list in a number of different ways, but none of them involve the owner of the address giving the sender permission to email them.
Additionally, the SBL will list spam gangs and spam supporters. Spam supporters include networks that provide services to spammers and do not take prompt action to remove the spammers from their services.
The XBL is a list of IP addresses which appear to be infected with trojans or spamware or can be used by hackers to send spam (open proxies or open relays). This list includes both the CBL and the NJABL open proxy list. The CBL list machines which appear to be infected with spamware or trojans. The CBL works passively, looking only at those machines which actively make connections to CBL detectors. NJABL lists machines that are open proxies and open relays.
The Policy Block List (PBL) is Spamhaus’ newest list. Spamhaus describes this list as

Read More

New Spamhaus lists

Spamhaus announced today they are publishing two new BGP feeds: Extended DROP and the Botnet C&C list. These lists are intended for use inside routers in order to stop all traffic to or from listed IP addresses. This is a great way to impact botnet traffic and hopefully will have a significant impact on virus infections and botnet traffic.
In other news I’ve been hearing rumbling about changes at Yahoo. It looks like they have changed their filters and some senders are feeling lots of pain because of it. It looks like senders with low to mid range reputations are most affected and are seeing more and more of their mail hit the bulk folder. This afternoon I’m hearing that some folks are seeing delivery  improvements as Yahoo tweaks the changes.

Read More