|Tweet Follow @spamhaus||
Spamhaus Botnet Summary 2016
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Brazilian internet users suffer SoftLayer's security fail
Older News Articles:
Spamhaus News INDEX
1997-2003: THE OPEN RELAY ERA
Around 1997, a company named Cyber Promotions (a/k/a Cyberpromo) was the first to start spamming Internet users on a massive scale. Cyberpromo first did this from their own mail servers, relying on their ISP's unwillingness to disconnect them. Within a short time, however, system administrators across the world started blocking email from the IP address ranges used by Cyberpromo.
After pondering on how to continue having their ads delivered, Cyberpromo had a clever but evil idea: send email through mailservers belonging to other companies. At that time, most mailservers on the Internet were open relays: anybody could connect to them from anywhere and send email to anybody. Today this seems absurd, but at that time abuse was rare and equipment failures more common than they are today. System administrators left relays open to ensure that legitimate user traffic could always be sent even if the user's own local server was not functioning.
So, Cyberpromo started sending their advertisements through mailservers that did not belong to them without the owners' permission. They sent many thousands of messages through each server, often saturating the server's Internet connection with junk email and leaving no capacity for that company to send or receive its own email. The administrators of those mailservers and networks had to spend hours to clean up the resulting mess. Cyberpromo constantly changed the abused open relays, making it difficult to block their activity in advance. Some message transfer agent (MTA) software, the software used to run a mailserver, could not be secured against abuse as an open relay without installing an unofficial patch which server admins were reluctant to apply.
Other spammers followed Cyberpromo's example, and open relay hijacking became a favoured spamming method for a few years in the early 2000s. Several people and organizations in the email security field reacted by setting up DNS-based blocklists (DNSBLs) that listed the IP addresses of servers found to be open relays after observation of spam sent through them and subsequent testing. Among those early DNSBLs that listed only IP addresses involved in open relay abuse were the MAPS RSS, ORBL, ORBS, ORBZ, ORDB, and RSL blocklists. Other blocklists that included IP addresses involved in open relay abuse but also other types of abuse included AHBL, DSBL, Five-Ten-SG, NJABL, and SORBS.
At the same time, developers of MTAs changed their code and default configurations to ensure that default installations were closed relays and to make creating an open relay more difficult. A closed relay basically means a mailserver that allows inbound mail only to its own users, and outbound mail only from its own users or others who are authorized to use the mailserver. A mailserver enforces these restrictions for outbound mail either by checking that the connecting IP address is in a trusted list or by requiring some other type of authentication. If somebody tries to send email that doesn't meet the restrictions, the mailserver rejects the email during the initial SMTP dialogue.
As increasing numbers of hijacked open relays were placed on DNSBLs automatically shortly after a spam run started, system administrators were notified that their mail servers were insecure open relays because legitimate emails sent through those servers were also rejected by recipients. The system administrators would upgrade their mailserver software and configurations, stopping spammers from abusing the mailservers, and then request removal of their IP address to the blocklists. The number of active open relays—which grew in number through 2001—stabilized at between 200,000 and 250,000 in 2002, and then began to decline. Spammers moved on to exploit other types of server insecurities such as open proxies and then "bots" (virus infected computers) during 2003. By 2005 or 2006 open relays had ceased to be an important spam vector. The majority of dedicated open relay DNSBLs shut down. The anti-abuse community declared that the open relay problem was solved.
BUT NOW THEY'RE BACK!
In 2012 and 2013, the Spamhaus Project has created about 4,000 SBL records for open relay mail systems. Some spammers in China, Taiwan, Russia, Brazil, Colombia, and other countries use open relays routinely to send spam. Spamhaus does not do any server testing, but discussions with ISPs and system administrators, spam header analysis and knowledge on how specific spammers work bring open relay cases to light with a very low margin of error. ("Error" in these cases normally means that the server was not wide open but the spammer managed to authenticate successfully using a guessed or stolen password, as discussed in a previous news article.)
Despite our efforts, Spamhaus is not catching all open relays. At the very least, 10-20 new open relay systems are found and abused by spammers each day. The problem is not as large now as it was in the past, but it is still significant. Spam coming from real, legitimate mailservers often passes through filters and manages to land into mailboxes. Spam that abuses an open relay still costs the organization owning it time and trouble to clean up the mess. The perhaps premature death of dedicated open relay DNSBLs forces us to spend time and resources to find and manually list open relays in the SBL, and think about what we can do to reduce the number of open relays to a negligible level once more.
WHERE DO THE SECOND GENERATION OF OPEN RELAYS COME FROM?
Most of the new crop of open relays, unlike the old, did not appear because of software bugs or poor default configurations. Some of the new open relays are caused by server administrators who deliberately open up mailserver configurations for testing, during a server relocation, or for some other reason. These system administrators often do this out of blind optimism: they believe that "no spammers attack open relays any more". Unfortunately they're mistaken. Spammers constantly test all mail servers on the Internet for open relays. Most are found within days if not hours!
However, the lion's share of new open relays is caused by insecure configuration, not of the mailserver itself, but of a firewall or an email security appliance. These appliances are placed between the existing mailserver and the Internet. They accept inbound SMTP connections from the Internet, examine traffic, and then pass only the messages that did not trigger spam or malware filters on to the real mailserver. The actual mailserver, which is normally properly configured, is not accessible to external traffic. The mail system is now a combination of two devices that work in close cooperation, and it is the mail system as a whole that should be immune from open relay abuse. What is happening in most cases is that a problem in the configuration of the security appliance causes the whole mail system to be open to relaying.
Remember: a mail system should accept inbound email to its users, outbound email from its users, and should reject all other email that it receives. Otherwise, that mail system is an open relay. If inbound email passes through a security appliance first, and the appliance passes the email and delivers it to the mailserver over a local SMTP connection, the mailserver treats the security appliance IP address, not the actual connecting IP address, as the source IP address for that email. So if that incoming message is directed outside, the mailserver may consider it generated by a local user and let it go out. Voila: the security appliance and mailserver combination functions as an open relay. And—ironically—this open relay issue hits organizations that made an extra effort to secure their mailservers and network! In most cases these organizations find out about this problem only after a spammer abuses their open relay, and they often struggle to understand the nature of the problem.
SCENARIO 1: NAT ON A FIREWALL
Our observations of samples indicate two common scenarios that lead to open relay two-device systems. Following are an example of each scenario, illustrated with spam that was sent by a well known open relay hijacker from China, with domains and IP addresses altered to protect the identities of our spamtraps and spamtrap MX servers, and of the abused open relay.
In the first scenario, the mailserver sees all SMTP connections as coming from an internal IP address because a firewall does a NAT translation at the network boundary, replacing the original IP address with the firewall IP. Email headers of spam sent through such an open relay look like this:
------------------------------------------------------------------------------ Return-Path: <firstname.lastname@example.org> Received: from mail.example.net (mail.example.net [203.0.113.243]) by xxxxxx (Postfix) with ESMTP id xxxxxx for <xxxxxx>; Wed, 13 Nov 2013 12:xx:xx +0200 (EET) Received: from PC-20121219NMRW ([10.0.0.26] RDNS failed) by mail.example.net with Microsoft SMTPSVC(6.0.3790.4675); Wed, 13 Nov 2013 13:xx:xx +0400 Date: Wed, 13 Nov 2013 17:xx:xx +0800 From: "Jeff" <email@example.com> To: "xxxxxx" <xxxxxx> Reply-To: <firstname.lastname@example.org> Subject: Photo Retouching Services - Photo Cut Out - Photo Editing MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: base64 Content-Disposition: inline Message-ID: <email@example.com> ------------------------------------------------------------------------------
In this scenario the firewall itself does not speak SMTP, the SMTP connection just goes through it. What happened here is that a machine from some unknown remote IP address (it does not appear in the headers) presented itself in the SMTP HELO as PC-20121219NMRW and connected to the mailserver through the firewall. The firewall changed the source IP address to its own address 10.0.0.26 before passing the email to the mailserver. The mailserver recognized 10.0.0.26 as a local IP address, assumed that the email was from a local sender, and so it sent the email to the spammed email address. The lesson that we learn from this example is that a firewall should never translate the IP addresses of incoming SMTP connections. Another solution, that we recommend to apply only when the previous one is difficult to deploy, is to remove the firewall IP address from the list of local IP addresses in the mail server.
NOTE: NAT translations do not create similar problems over other protocols, such as HTTP or DNS. SMTP is a special case that requires particular caution.
SCENARIO 2: SMTP APPLIANCE + SERVER
In the second scenario, a security appliance acting as MX for the user domain and receiving email traffic from the Internet is misconfigured, as it blindly forwards all traffic to the local mail server (via a separate internal SMTP transaction) instead of rejecting unauthorized relaying attempts. The mailserver accepts everything from the appliance (as it trusts its IP) and proceeds to delivery, forming an open relay mail system together with the appliance. Email headers of spam sent through such an open relay look like this:
------------------------------------------------------------------------------ Return-Path: <firstname.lastname@example.org> Received: from mail.example.com (mail.example.com [198.51.100.204]) by xxxxxx (Postfix) with ESMTP id x for <xxxxxx>; Thu, 14 Nov 2013 13:xx:xx +0200 (EET) Received: from unknown (HELO EROS.example.com) ([192.168.0.50]) by mail.example.com with ESMTP; 14 Nov 2013 06:xx:xx -0500 Received: from PC-20121219KUBO ([184.108.40.206]) by EROS.example.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 14 Nov 2013 06:xx:xx -0500 Date: Thu, 14 Nov 2013 19:xx:xx +0800 From: "Jeff" <email@example.com> To: "xxxxx" <xxxxx> Reply-To: <firstname.lastname@example.org> Subject: Photo Editing Services - Photo Retouching - Photo Cut Out MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: base64 Content-Disposition: inline Message-ID: <xxxxxxxx@EROS.example.com> ------------------------------------------------------------------------------
This is what happened: the sending machine at 220.127.116.11 contacted the example.com email security appliance (called EROS). EROS did not detect the messages as coming from outside and directed outside, so it accepted them and transferred them to mail.example.com, the mailserver. The security appliance should have rejected these SMTP transactions as open relay abuse, but for some reason it did not. The mailserver treated the internal IP address of the security appliance 192.168.0.50 as the source IP address for the email, granting relay authorization and sending the message to the spam recipients.
The lesson here is that any security appliance or other MX server that receives email from external IP addresses must know which domains it accepts email for, and must reject any attempt to send email from external IP addresses to email addresses at domains that are not on its list. It is always the server that accepts email directly from the Internet that must implement anti-relay rules.
WHAT CAN WE DO ?
Open relays today are commonly created by misconfigured external-facing security appliances. Simple firewalls or proxies letting SMTP connections through should not alter the source IP address of the connection, while devices containing a SMTP server must be configured to detect and reject relaying attempts for the networks that they protect. Manufacturers of firewall and anti-spam appliances need to update the appliances so that they cannot easily be made part of a two-device open relay mail system. We hope that industry will cooperate in reaching this goal soon.
As always, education (knowledge of SMTP!) and awareness of email security issues are also extremely important. The importance of testing all mail systems against open relaying can not be stressed enough. System administrators dealing with an open relay problem or just looking for more informations can find useful references on the Securing Open Relays page at SpamLinks.net.
Archive of one spammer's relay abuse
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
The return of the open relays
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.