Re: New spam-probing wave?

From: Jeff Kell (jeff-kell@utc.edu)
Date: 01/23/03

  • Next message: incidents.nospam13@web-cities.net: "New Web Hack?" 
    Date: Thu, 23 Jan 2003 17:47:18 -0500
From: Jeff Kell <jeff-kell@utc.edu>
To: patrick.oonk@pine.nl

    Patrick Oonk wrote:
    >
    > Hi,
    >
    > I get lots of probes for emailadresses at some of my mailservers.
    > It seems people are probing the MX-es of domains they get from
    > the registries, and then try a list of accounts, to see if they exist,
    > so they can be spammed in the future. I probed some of the (now blocked)
    > offfending hosts, and a lot of them run open proxies, so I suspect they
    > are being used as an intermediate. It seems the probes are coordinated
    > in some way, as if I block one offender, a few moments later the probes
    > appear from another host.

    Haven't seen this first-hand, but some well-known spam sources have
    been scanning our subnets for relays/proxies, and the scanning is
    targeted to our address spaces (widely spaced apart). Block one, and
    another(s) reappear shortly thereafter. They will probe ports 25, 80,
    1080, 3128, 8000, and 8080 of each address. And it has been constant
    for weeks now. The scans are relatively slow, and somewhat randomized
    (at least non-sequential), but persistent.

    The worst offender is 138.121.23/24, a newer source is 200.30.203.160.
    Others come and go, but the first one has been at it since before
    Christmas.

    Jeff

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com