"RelayFinder" Anyone else seen this? (erols, fnord, oneill may be interested)

Mailman List Mirror (Read Only)
1

Had a new box on the net for all of two hours, and this pops up on in my
maillog:

Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "250
<relayfinder@fnord.net>... Sender ok": Broken pipe
Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "250
<relayfinder@fnord.net>... Recipient ok": Broken pipe
Jun 22 22:18:41 x sendmail[509]: WAA00509: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "354 Enter
mail, end with "." on a line by itself": Broken pipe
Jun 22 22:18:41 x sendmail[509]: WAA00509: from=<relayfinder@fnord.net>,
size=81, class=0, pri=30081, nrcpts=1, msgid=<199806230318.WAA00509@<MY
FQDN WAS HERE>>, proto=SMTP, relay=autumn.news.erols.com [207.172.3.57]
Jun 22 22:18:41 x sendmail[509]: NOQUEUE: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "250 WAA00509
Message accepted for delivery": Broken pipe
Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "503 Need MAIL
before RCPT": Broken pipe
Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "503 Need MAIL
command": Broken pipe
Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "500 Command
unrecognized: "X-Scan-Time: 898571908"": Broken pipe
Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "500 Command
unrecognized: "X-CIDR-Block: <MY /16 WAS HERE>"": Broken pipe
Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "500 Command
unrecognized: "X-Relay-Address: <MY IP ADDR WAS HERE>"": Broken pipe
Jun 22 22:18:41 x sendmail[508]: NOQUEUE: SYSERR: putoutmsg
(autumn.news.erols.com): error on output channel sending "500 Command
unrecognized: "."": Broken pipe
Jun 22 22:19:57 x sendmail[511]: WAA00509: to=<relayfinder@fnord.net>,
delay=00:01:16, xdelay=00:01:16, mailer=esmtp, relay=luser.oneill.net.
[207.96.89.34], stat=Deferred: Operation timed out with
luser.oneill.net.

It looks to me like someone on the host at erols tried to relay through
me, and then mail the potential results to themselves at fnord.net
(relayed via oneill.net).

Is someone attempting to perform a community service here and scan the
entire Internet for relays, or are they collecting relays for evil
purposes? I can see it now; buy "10 million relay sites on a cdrom for
$9.99".

Ryan Brooks
ryan@inc.net

2

Is someone attempting to perform a community service here and scan the
entire Internet for relays, or are they collecting relays for evil
purposes? I can see it now; buy "10 million relay sites on a cdrom for
$9.99".

If its of any interest, I found the same thing going through my logs this
morning.

Derek

3

You know the phrase "The road to hell is paved with good intentions"? Well,
guilty as charged. The original intent was to scan the net for relays to
try to get some data on how many open relays were still out there. I got
almost all of 204.0.0.0/8 scanned, but I've stopped scanning due to the
volume of complaints and the few legal threats I've gotten. I have _no_
intention of doing any more scanning. Overall, people's responses have been
positive once I explained what the intent was, but the legal threats have
given me sufficent motive to cease any further scanning.[1]

FWIW, I'd like to publicly apologize to everyone that's seen this for the
trouble, I've caused. If anyone has any questions about this, please feel
free to mail me.

1. I won't be doing any more scanning. Really.

4

Hmmm -- a brute-force scan may have been a bad idea, but the idea may in
fact be a good one.

I'm thinking instead to extract from the sendmail logs all mail servers that
connect to an ISP, and run a scan on them. Hopefully craft the return DNS
entry such that it's obvious it's a legit test. Or simply to be inocuous.

Test all relay's that connect to us, a few ISPs do that, and we might just
have a large list of open SMTP servers to contact to fix their servers.
Couple with a list of how to fix/upgrade the various server versions
(including clueless NT ones), and we might actually make a dent.

-Chris