BLOG

Open relays

Spamhaus wrote about the return of open relays yesterday. What they’re seeing today matches what I see: there is fairly consistent abuse of open relays to send spam. As spam problems go it’s not as serious as compromised machines or abuse-tolerant ESPs / ISPs/ freemail providers – either in terms of volume or user inbox experience – but it’s definitely part of the problem.
I’m not sure how much of a new problem it is, though.
Spammers scan the ‘net for mailservers and attempt to relay email through them back to email addresses they control. Any mail that’s delivered is a sign of an open relay. They typically put the IP address of the mailserver they connected to in the subject line of the email, making it easy for them to mechanically extract a list of open relays.
We run some honeypots that will accept and log any transaction, which looks just like an open relay to spammers other than not actually relaying any email. They let us see what’s going on. Here’s a fairly typical recent relay attempt:

MAIL FROM: <test@live.com>
RCPT TO: <therichsheickc@yahoo.com>
RCPT TO: <therichsheick1@yahoo.com>
RCPT TO: <therichsheick9@yahoo.com>
RCPT TO: <therichsheick2@yahoo.com>
RCPT TO: <therichsheick0@yahoo.com>
RCPT TO: <therichsheickb@yahoo.com>
RCPT TO: <therichsheick7@yahoo.com>
RCPT TO: <therichsheick13@yahoo.com>
RCPT TO: <therichsheick4@yahoo.com>
RCPT TO: <therichsheickf@yahoo.com>
RCPT TO: <therichsheick12@yahoo.com>
RCPT TO: <therichsheick5@yahoo.com>
RCPT TO: <therichsheicke@yahoo.com>
RCPT TO: <therichsheickd@yahoo.com>
RCPT TO: <therichsheicka@yahoo.com>
RCPT TO: <therichsheick10@yahoo.com>
RCPT TO: <therichsheick6@yahoo.com>
RCPT TO: <therichsheick3@yahoo.com>
RCPT TO: <therichsheick@yahoo.com>
RCPT TO: <therichsheick11@yahoo.com>
RCPT TO: <therichsheick8@yahoo.com>
DATA
From: <test@live.com>
Date: Sun, 1 Dez 2013 12:17:21 +0000
Subject: ip.ad.ddr.ess@pauletteOpen Relay
It’s 106 miles to Chicago, we got a full tank of gas, half a pack of cigarettes, it’s dark… and we’re wearing sunglasses.
.

This test came from an IP address apparently in the Amazon cloud, which isn’t unusual, but they also come from compromised machines or grubby little /28 allocations from all over the place.
You can see that they use multiple test destination addresses, so that even if they lose access to some they won’t lose the results of the relay test. In this case they’re using yahoo.com addresses, which isn’t at all unusual.
The same relay scanner has been using exactly that same set of yahoo.com email addresses unchanged for over a year, so it seems that their losing access to them isn’t a serious risk.
How new is this?

relay.numbers

 
We saw over 100,000 relay attempts in March 2010. The break in 2011 is when the machine running the honeypot moved providers. That the relay attempts didn’t increase back to previous levels is interesting; I’m guessing that some ranges of network space are more profitable to mine for open relays than others. This graph is a logarithmic scale, as otherwise the more recent volumes would be dwarfed by the older ones.
Lets just look at traffic since mid-2011, with a linear scale, instead. Broken down by week, rather than month too:

weekly.numbers

 
Well, something is certainly happening. But it’s a very spiky sort of traffic anyway, so short term changes don’t necessarily mean anything.
I’m not sure if there’s any trend or message to draw from this other than “Here, have some data.” and “Open relays are still an issue, and spammers are still actively looking for them.”

4 comments

  1. Martijn says

    When I was setting up my non-standard testing network some years ago, one of the machines was running as an actual open relay for five minutes. I know, because a spammer found out with a test message like the one above (except they used yahoo.com.tw – that seems to be popular among open relay-abusers). For years I kept receiving delivery attempts for those addresses.
    On an aside, I recently got a 419 scam where something had gone wrong and a username and password (‘1234567′) were accidentally included in the Subject line. They worked for relaying email (and for IMAP too). From the spammers’ point of view, this is just as much an open relay.

  2. Nick the Amateur LARTist says

    My mailservers are being probed on a regular basis by spammers trying to relay to various therichsheick…@yahoo.com addresses. One common trait of these attempts is that the ‘helo’ string is the IP address or hostname of the mailserver being probed. It happens often enough so that I added a postfix table that rejects all clients using these ‘helo’ strings, unless they are on the local network.

  3. Nope says

    Yeah, this guy/girl is prodding my servers continuously now.

  4. Captain Dunsil says

    Therichsheick is not only probing for open relays. It’s also probing authentication username/PW pairs. We’ve been hit on different email servers through different IP addresses by the richsheick probe for several years. We just installed a new SBS for a client who migrated from Office365 and it wasn’t long until therichsheick began probing. We initially created user accounts with passwords that matched the usernames and set to require a password change at the first login. Well, POP3/SMTP access was also set up for mobile users.
    GUESS WHAT?! Therichsheick guessed one of the pairs and soon began sending thousands of authenticated emails through the new SMTP server. So there’s more to therichsheick than just probing open relays. I would guess that the main reason it keeps probing even in the face of denied relays is to get an authentication hit. Then it does it’s dirty work. The initial probes were from a Bolivia IP. The subsequent emails came from all over the place. There’s obviously a large network of richsheick hosts or infected computers producing the spam.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.