ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
The Register of Known Spam Operations
Alan Ralsky

Evidence Menu:

Alan Ralsky Index

Country: United States
State: Michigan
Convicted fraudster, spams using hijacked proxies & virus infected PCs and in the past by hijacking mail servers and mail accounts. One of the first people to host spam-websites in China to evade US law. Served years in prison due to stock-fraud spamming, but soon after being released, seemed to get right back into spamming.

Alan Ralsky SBL Listings History
Current SBL Listings
Archived SBL Listings

Massive SMTP-AUTH abuse from China

Starting from approximately november 2002, a large quantity of spam advertising domains whose DNS is given by Ralsky-controlled chinese nameservers has been transmitted by forcing third-party relaying via SMTP Authentication.

In the past these attacks were launched from dynamic IP connections located in the Chongqing chinese province, but there are recent observations of similar attacks coming from other provinces.
In particular, the IP ranges involved are: - [, SBL11978] - [, SBL8282, SBL8680] - [, SBL9326] - [, SBL7496] - [cncgroup-HL, SBL11430] - [cncgroup-HL, SBL10918] - [chinanet-CQ, SBL10940] - [chinanet-CQ, SBL10246. SBL10247] - [china netcom, SBL12286] - [chinanet-CQ, SBL10536]

Starting on november 2003, similar abuses (distributing the same kind of spam) are also seen to come from open proxies.

Here is what typical headers look like:

From Sun Aug 31 22:59:32 2003
Return-Path: <>
Received: from ( [])
by __________ (Postfix) with ESMTP id 113E462D03
for <x>; Sun, 31 Aug 2003 22:59:28 +0200 (CEST)
Received: from adjudging ([]) by with Microsoft SMTPSVC(5.0.2195.5329);
Sun, 31 Aug 2003 15:59:07 -0500
From: "Jan Banuelos" <>
To: x
Subject: HGH Can Create a New You for Spring
Date: Sun, 5 May 2002 05:12:43 GMT
Mime-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
Message-ID: <>

From pow@163.COM Tue Aug 19 17:21:35 2003
Return-Path: <pow@163.COM>
Received: from (unknown [])
by ___________ (Postfix) with ESMTP id 103A16E760
for <x>; Tue, 19 Aug 2003 17:21:28 +0200 (CEST)
Received: from adventures ([])
by (8.11.6/8.11.6) with ESMTP id h7JFLKK09867
for <x>; Wed, 20 Aug 2003 00:21:22 +0900
Message-Id: <>
Date: Wed, 23 Jan 2002 18:15:18 GMT
From: "Rajendra Irwin" <pow@163.COM>
To: x
Subject: hypothalamus

This looks like open relay spam, with and being the open relays. However, these two systems were not open relays in the traditional sense, and surely passed successfully all the relay tests when the spam was transmitted. So, one may be tempted to think that they were the spam origin or open proxies, and that the second Received line is forged.

This is not the case. The Chongqing IPs and were indeed the real origin of the spam, and and were indeed third party relayers abused by the spammer.

These relays were abused using SMTP AUTH. That is, the spammer supplied a valid username/password pair to the server, was authenticated, and therefore granted permission to send mail anywhere. Such attacks are therefore successful only when weak passwords are used. This spamhaus constantly scans the net to find abusable servers to use in subsequent spam runs. All brands of servers (sendmail, exchange, mdaemon, rockcliffe, etc) are equally targeted, as long as they support SMTP AUTH. The attacker tries several username/password pairs - such as with 'admin/admin' - following a certain pattern and hoping to find a combination that lets him in.

An analysis done in july 2003 has shown that a total of 276 combinations are attempted (of course new ones can have been added in the meanwhile):
Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc
each with the following passwords:
${username}, ${username}12, ${username}123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&*
as well as with a blank password.

MDaemon users beware! The account creation tool of recent versions of MDaemon defaults the password to the account name. If the default is accepted, the account will be open to be exploited by this spamhaus.

Exchange 5.5 and Exchange 2000 users beware! If the Guest account is active, your system may be vulnerable to exploitation (follow the link below for more detail).

Spamhaus acknowledges and appreciates the efforts of other people in gathering the information presented here.

Related URLs

Exchange Server SMTP AUTH Attacks (<============ Exchange users please read this)

Microsoft's advice

The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is:

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy