db.org mail server used as spam relay

Projects

Categories

Search

Archives

Introduction

The db.org mail server at 195.159.29.203 and 195.159.29.204 has been used as a spam relay from approximately 2003/11/25 19:00 UTC until approximately 2003/11/26 03:45 UTC (a total of a little under 9 hours). The problem has now been corrected, and no further spam should originate from this server. This page will be continuously updated as more information about the attack is uncovered. I (Bob Johannessen, postmaster@db.org) would like to apologise for any inconvenience this has caused.

The problem

The problem seems to have been with the password checker used for SMTP AUTH. The password checker used a different protocol from the SMTP daemon, and the brain dead password checker defaulted to “allow” when it didn’t understand its input data. This resulted in anyone trying to authenticate with AUTH LOGIN, using any combination of username and password, was allowed to relay mail.

The volume

Based on the queue sequence number of the first undeliverable message and that of the the last message, the total volume is estimated at about 14.000 messages. Of these 11.000 was already delivered when the problem was identified. The remaining 3.000 messages was removed from the queue. Total damage is therefore approximately 11.000 messages.

The attacker

The approximately 3.000 messages in the queue when the attack was identified originated from the following addresses.

• 200.141.157.222 (RN141157222.user.veloxzone.com.br)
• 200.141.161.171 (PE161171.user.veloxzone.com.br)
• 200.158.237.63 (200-158-237-63.dsl.telesp.net.br)
• 200.164.136.170 (CE136170.user.veloxzone.com.br)
• 200.164.143.239 (CE143239.user.veloxzone.com.br)
• 200.164.143.5 (CE143005.user.veloxzone.com.br)
• 200.164.144.148 (CE144148.user.veloxzone.com.br)
• 200.164.144.236 (CE144236.user.veloxzone.com.br)
• 200.164.18.239 (BA018239.user.veloxzone.com.br)
• 200.164.244.135 (PE244135.user.veloxzone.com.br)
• 200.164.244.69 (PE244069.user.veloxzone.com.br)
• 200.165.112.248 (AL165112248.user.veloxzone.com.br)
• 200.165.16.151 (MG016151.user.veloxzone.com.br)
• 200.165.172.202 (172202.telemar.net.br)
• 200.165.193.64 (RJ193064.user.veloxzone.com.br)
• 200.95.11.213 (dsl-200-95-11-213.prod-infinitum.com.mx)
• 200.95.117.1 (dsl-200-95-117-1.prod-infinitum.com.mx)
• 200.95.119.11 (dsl-200-95-119-11.prod-infinitum.com.mx)
• 200.95.124.65 (dup-200-95-124-65.prod-infinitum.com.mx)
• 200.95.127.124 (dup-200-95-127-124.prod-infinitum.com.mx)
• 200.95.17.208 (dsl-200-95-17-208.prod-infinitum.com.mx)
• 200.95.46.247 (dsl-200-95-46-247.prod-infinitum.com.mx)
• 200.95.48.215 (dsl-200-95-48-215.prod-infinitum.com.mx)
• 200.95.72.214 (dsl-200-95-72-214.prod-infinitum.com.mx)
• 200.95.72.49 (dsl-200-95-72-49.prod-infinitum.com.mx)
• 200.95.73.201 (dsl-200-95-73-201.prod-infinitum.com.mx)
• 200.95.77.157 (dsl-200-95-77-157.prod-infinitum.com.mx)
• 200.95.82.253 (dsl-200-95-82-253.prod-infinitum.com.mx)
• 200.95.90.251 (dsl-200-95-90-251.prod-infinitum.com.mx)
• 218.72.11.98 (no reverse, whois@apnic.net points to chinanet.cn.net)
• 61.11.35.180 (no reverse, whois@apnic.net points to ddsl.net and directs abuse complaints to abuse@eth.net)