Open relays

Spamhaus wrote about the return of open relays yesterday. What they’re seeing today matches what I see: there is fairly consistent abuse of open relays to send spam. As spam problems go it’s not as serious as compromised machines or abuse-tolerant ESPs / ISPs/ freemail providers – either in terms of volume or user inbox experience – but it’s definitely part of the problem.
I’m not sure how much of a new problem it is, though.
Spammers scan the ‘net for mailservers and attempt to relay email through them back to email addresses they control. Any mail that’s delivered is a sign of an open relay. They typically put the IP address of the mailserver they connected to in the subject line of the email, making it easy for them to mechanically extract a list of open relays.
We run some honeypots that will accept and log any transaction, which looks just like an open relay to spammers other than not actually relaying any email. They let us see what’s going on. Here’s a fairly typical recent relay attempt:

MAIL FROM: <test@live.com>
RCPT TO: <therichsheickc@yahoo.com>
RCPT TO: <therichsheick1@yahoo.com>
RCPT TO: <therichsheick9@yahoo.com>
RCPT TO: <therichsheick2@yahoo.com>
RCPT TO: <therichsheick0@yahoo.com>
RCPT TO: <therichsheickb@yahoo.com>
RCPT TO: <therichsheick7@yahoo.com>
RCPT TO: <therichsheick13@yahoo.com>
RCPT TO: <therichsheick4@yahoo.com>
RCPT TO: <therichsheickf@yahoo.com>
RCPT TO: <therichsheick12@yahoo.com>
RCPT TO: <therichsheick5@yahoo.com>
RCPT TO: <therichsheicke@yahoo.com>
RCPT TO: <therichsheickd@yahoo.com>
RCPT TO: <therichsheicka@yahoo.com>
RCPT TO: <therichsheick10@yahoo.com>
RCPT TO: <therichsheick6@yahoo.com>
RCPT TO: <therichsheick3@yahoo.com>
RCPT TO: <therichsheick@yahoo.com>
RCPT TO: <therichsheick11@yahoo.com>
RCPT TO: <therichsheick8@yahoo.com>
DATA
From: <test@live.com>
Date: Sun, 1 Dez 2013 12:17:21 +0000
Subject: ip.ad.ddr.ess@pauletteOpen Relay
It’s 106 miles to Chicago, we got a full tank of gas, half a pack of cigarettes, it’s dark… and we’re wearing sunglasses.
.

This test came from an IP address apparently in the Amazon cloud, which isn’t unusual, but they also come from compromised machines or grubby little /28 allocations from all over the place.
You can see that they use multiple test destination addresses, so that even if they lose access to some they won’t lose the results of the relay test. In this case they’re using yahoo.com addresses, which isn’t at all unusual.
The same relay scanner has been using exactly that same set of yahoo.com email addresses unchanged for over a year, so it seems that their losing access to them isn’t a serious risk.
How new is this?

relay.numbers

 
We saw over 100,000 relay attempts in March 2010. The break in 2011 is when the machine running the honeypot moved providers. That the relay attempts didn’t increase back to previous levels is interesting; I’m guessing that some ranges of network space are more profitable to mine for open relays than others. This graph is a logarithmic scale, as otherwise the more recent volumes would be dwarfed by the older ones.
Lets just look at traffic since mid-2011, with a linear scale, instead. Broken down by week, rather than month too:

weekly.numbers

 
Well, something is certainly happening. But it’s a very spiky sort of traffic anyway, so short term changes don’t necessarily mean anything.
I’m not sure if there’s any trend or message to draw from this other than “Here, have some data.” and “Open relays are still an issue, and spammers are still actively looking for them.”

Related Posts

New Spamhaus lists

Spamhaus announced today they are publishing two new BGP feeds: Extended DROP and the Botnet C&C list. These lists are intended for use inside routers in order to stop all traffic to or from listed IP addresses. This is a great way to impact botnet traffic and hopefully will have a significant impact on virus infections and botnet traffic.
In other news I’ve been hearing rumbling about changes at Yahoo. It looks like they have changed their filters and some senders are feeling lots of pain because of it. It looks like senders with low to mid range reputations are most affected and are seeing more and more of their mail hit the bulk folder. This afternoon I’m hearing that some folks are seeing delivery  improvements as Yahoo tweaks the changes.

Read More

Yahoo now auctioning domain names

This summer Yahoo shook up the email ecosystem by publicly announcing they were recycling usernames. The shakeup wasn’t so much that they were recycling usernames, but that they did it in a way that compromised user information and account security. Any user that had an account tied to a recycled Yahoo account is at risk for having their PII leaked. Folks are still dealing with the fallout, both Yahoo and the companies who are trying to meet customer needs by sending emails and protect customer emails by not sending emails.
On top of that, Yahoo announced they’re selling off a number of domains that they’ve accumulated over the years. Some of these are pretty high value domains like webserver.com, sandwich.com and other real words.
I don’t think Yahoo used any of these domains for email, and even if they did any addresses should have bounced off years ago. Still, it does bring up some broader policy issues.
Many, many things online, from bank accounts to social media accounts to blog commenting systems treat email addresses as a unique identifier for that account. Many of these databases were developed with the underlying assumption that people wouldn’t change their email addresses and that it was a static value. This wasn’t a true assumption 10 years ago and it’s certainly not true now. This mistaken assumption is a problem, and one that more and more companies are going to have to address moving forward. This isn’t about email and it isn’t about delivery, it’s about simple data accuracy and hygiene.
Companies must start thinking and addressing email address impermanence. These issues are not going away.

Read More

News snapshot

  • The judge in e360 v. Spamhaus has denied Spamhaus’ motion for dismissal. However, the judge also ordered that the 16 new witnesses be stricken and capped damages at the original $11.7M. Mickey has the order.
  • Tuesday the FTC announced it had shut down a major spamming operation. I am not sure the results are visible yet, yesterday there were 2041 spams in one of my mailboxes yesterday versus 2635 a week ago.
  • The FBI announced today it had infiltrated and shut down a international carding ring. While not directly spam related the phishers and carders work together and some of them use spam.
  • Rumor has it that many mailers are seeing problems delivering to AOL the last few days. It seems that AOL is making adjustments to their filtering system. As when any ISP changes filter rules and weights, some of the people just skirting by see delivery problems. What people are hearing is that if they are seeing delivery problems at AOL they need to improve their reputation.
  • Last week Yahoo had another online workshop with the mail folks. They have published a transcript of the talk. I was at the talk and there were only a couple spam related questions.

donhburger: Why does Yahoo sell our email addresses to spammers?
YMailRyan: We absolutely don’t sell your addresses to spammers. No IFs, ANDs, or BUTs about it.
imintrouble: My mom keeps emailing em but I never get it and usually it ends up in my spam box. Why? How do I make this stop? She’s getting pissed that I’m not replying.
YMailTeam: Oh no! Be sure your Mom is on your contact list– this should help keep mom out of spam box and put her back into your inbox.
buergej: Just why do I keep receiving the same kind of spam from a series of what appear to be women day after day after day?
YMailCarl: Spam is, unfortunately a constant problem for anyone using email. The reason you are receiving these emails is because spammers have somehow gotten a hold of your email address and are mailing you their lovely messages. There are several things you can do to assist with this. First, continue to report these messages as “Spam” by clicking the button at the top of the email labled “Spam”. Note that you don’t need to actually look at the message to do this. When you report items as spam it lets Yahoo! know that messages originating from that person are likely spam. This not only helps you, but helps other Yahoo! users as well.
YMailCarl: Second, if the emails are from similar names, you can set up filters in your email account to block those names and send them to your trash or spam folder.
YMailCarl: Obviously these messages you are receiving are not from women trying to sell you products personally – the messages are typically generated by a script which will try to forge or “spoof” the originating address.
YMailCarl: We agree that Spam is a serious issue and have many resources dedicated to fighting this problem.
YMailCarl: You can find some additional information about fighting spam here: http://help.yahoo.com/l/us/yahoo/mail/original/abuse/index.html
donhburger: Why when I mark Emails as Spam do I continue to get emils from the same persons?
YMailMaryn: When you mark a message as “spam” from within your Inbox that moves the message to your Spam Folder. And all subsequent messages that are sent from that particular sender will not be delivered to your Inbox, but will be delivered to your Spam Folder.

Read More