Security Incidents: Re: Spammers?

[jlewis () lewis org]

On Thu, 27 Feb 2003, Christopher Wagner wrote:

> Good day all..
>
> I'm encountering some rather annoying problems with my mail server.
>
> It appears as though someone is trying rather desperately to relay through
> my mail server, and using multiple boxes from all over the place to do it.
> They are all directed at pacbell.net and they're all from the commonly faked
> mail from:'s (ie: hotmail, mindspring, earthlink)
>
> Logs:
>
> Feb 25 07:12:02 goober postfix/smtpd[31398]: reject: RCPT from
> unknown[62.117.66.182]: 554 <idapaul () pacbell net>: Recipient address
> rejected: Relay access denied; from=<t1p2dj10x () earthlink net>
> to=<idapaul () pacbell net>
> --
> Feb 25 07:10:37 goober postfix/smtpd[31398]: reject: RCPT from
> kamosbs.kamocci.or.jp[157.120.128.130]: 554 <gortons () pacbell net>: Recipient
> address rejected: Relay access denied; from=<r275rmd0b () mindspring com>
> to=<gortons () pacbell net>
These first two are open proxies.  It seems a little odd that someone 
would abuse an open proxy and then look for open relays through it rather 
than do direct-to-MX spam from it.  I wonder if that's intentional, 
accidental, or just a coincidence that they're open proxies.

http://njabl.org/cgi-bin/lookup.cgi?query=157.120.128.130
http://njabl.org/cgi-bin/lookup.cgi?query=62.117.66.182

It can't hurt to look up the NIC contacts for them and send a complaint.
 
----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>