"RelayFinder" Anyone else seen this? (erols, fnord, oneill may be interested)
Had a new box on the net for all of two hours, and this pops up on in my maillog: Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "250 <relayfinder@fnord.net>... Sender ok": Broken pipe Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "250 <relayfinder@fnord.net>... Recipient ok": Broken pipe Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "354 Enter mail, end with "." on a line by itself": Broken pipe Jun 22 22:18:41 x sendmail[509]: WAA00509: from=<relayfinder@fnord.net>, size=81, class=0, pri=30081, nrcpts=1, msgid=<199806230318.WAA00509@<MY FQDN WAS HERE>>, proto=SMTP, relay=autumn.news.erols.com [207.172.3.57] Jun 22 22:18:41 x sendmail[509]: NOQUEUE: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "250 WAA00509 Message accepted for delivery": Broken pipe Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "503 Need MAIL before RCPT": Broken pipe Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "503 Need MAIL command": Broken pipe Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "500 Command unrecognized: "X-Scan-Time: 898571908"": Broken pipe Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "500 Command unrecognized: "X-CIDR-Block: <MY /16 WAS HERE>"": Broken pipe Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "500 Command unrecognized: "X-Relay-Address: <MY IP ADDR WAS HERE>"": Broken pipe Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "500 Command unrecognized: "."": Broken pipe Jun 22 22:19:57 x sendmail[511]: WAA00509: to=<relayfinder@fnord.net>, delay=00:01:16, xdelay=00:01:16, mailer=esmtp, relay=luser.oneill.net. [207.96.89.34], stat=Deferred: Operation timed out with luser.oneill.net. It looks to me like someone on the host at erols tried to relay through me, and then mail the potential results to themselves at fnord.net (relayed via oneill.net). Is someone attempting to perform a community service here and scan the entire Internet for relays, or are they collecting relays for evil purposes? I can see it now; buy "10 million relay sites on a cdrom for $9.99". Ryan Brooks ryan@inc.net
Is someone attempting to perform a community service here and scan the entire Internet for relays, or are they collecting relays for evil purposes? I can see it now; buy "10 million relay sites on a cdrom for $9.99".
If its of any interest, I found the same thing going through my logs this morning. Derek
Hot Diggety! On a bright and sunny day, Ryan K. Brooks was rumored to have said...
Had a new box on the net for all of two hours, and this pops up on in my maillog:
Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "250 delay=00:01:16, xdelay=00:01:16, mailer=esmtp, relay=luser.oneill.net. [207.96.89.34], stat=Deferred: Operation timed out with luser.oneill.net.
Don't know what intentions were, but news.erols.com and oneill.net leads me to believe you probably want to contact Clayton O'Neill at coneill@erols.com. Was hit by that, too...the host was id'ed as hmm.colo.erols.net as well as luser.oneill.net. Not too wild about it -- I figure SMTP hosts identified by DNS is fair game, but generally regard any other questionable access as potential abuse cases. hmm.colo.erols.net doesn't exist in the DNS, so I'm not sure offhand whether this was spoofed or not. Clayton, you know anything about this? -Dan
I was hit at bpisles.liii.com, by autumn.news.erols.com, my host is in no way an SMTP server, and actually isn't even running an SMTP. Jun 23 02:54:15 bpisles tcplog: smtp connection attempt from autumn.news.erols.com On Wed, 24 Jun 1998, Dan Foster wrote:
Hot Diggety! On a bright and sunny day, Ryan K. Brooks was rumored to have said...
Had a new box on the net for all of two hours, and this pops up on in my maillog:
Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg (autumn.news.erols.com): error on output channel sending "250 delay=00:01:16, xdelay=00:01:16, mailer=esmtp, relay=luser.oneill.net. [207.96.89.34], stat=Deferred: Operation timed out with luser.oneill.net.
Don't know what intentions were, but news.erols.com and oneill.net leads me to believe you probably want to contact Clayton O'Neill at coneill@erols.com.
Was hit by that, too...the host was id'ed as hmm.colo.erols.net as well as luser.oneill.net. Not too wild about it -- I figure SMTP hosts identified by DNS is fair game, but generally regard any other questionable access as potential abuse cases.
hmm.colo.erols.net doesn't exist in the DNS, so I'm not sure offhand whether this was spoofed or not.
Clayton, you know anything about this?
-Dan
-Brian Pavane -LIII Support Staff
Don't know what intentions were, but news.erols.com and oneill.net leads me to believe you probably want to contact Clayton O'Neill at coneill@erols.com.
[...]
Clayton, you know anything about this?
There was some discussion of this on comp.mail.sendmail, thread "Relay Robot???". There are posts there from Erol's "Abuse Guy" and from Clayton O'Neill regarding the intent and the current status.
On 24 Jun 1998 11:29:22 -0400, Ryan K. Brooks <ryan@inc.net> wrote: |Had a new box on the net for all of two hours, and this pops up on in my |maillog: |It looks to me like someone on the host at erols tried to relay through |me, and then mail the potential results to themselves at fnord.net |(relayed via oneill.net). | |Is someone attempting to perform a community service here and scan the |entire Internet for relays, or are they collecting relays for evil |purposes? I can see it now; buy "10 million relay sites on a cdrom for |$9.99". You know the phrase "The road to hell is paved with good intentions"? Well, guilty as charged. The original intent was to scan the net for relays to try to get some data on how many open relays were still out there. I got almost all of 204.0.0.0/8 scanned, but I've stopped scanning due to the volume of complaints and the few legal threats I've gotten. I have _no_ intention of doing any more scanning. Overall, people's responses have been positive once I explained what the intent was, but the legal threats have given me sufficent motive to cease any further scanning.[1] FWIW, I'd like to publicly apologize to everyone that's seen this for the trouble, I've caused. If anyone has any questions about this, please feel free to mail me. 1. I won't be doing any more scanning. Really.
Hmmm -- a brute-force scan may have been a bad idea, but the idea may in fact be a good one. I'm thinking instead to extract from the sendmail logs all mail servers that connect to an ISP, and run a scan on them. Hopefully craft the return DNS entry such that it's obvious it's a legit test. Or simply to be inocuous. Test all relay's that connect to us, a few ISPs do that, and we might just have a large list of open SMTP servers to contact to fix their servers. Couple with a list of how to fix/upgrade the various server versions (including clueless NT ones), and we might actually make a dent. -Chris ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
participants (7)
-
Brian Pavane -
Christopher X. Candreva -
Dan Foster -
Derek Balling -
Ryan K. Brooks -
Stephen Stuart -
usenet@oneill.net