Spammer Weirdness: Trapping The Trap
Today I noticed this line in my message log:
Apr 26 08:19:38 gmc-mxd-bsd-001 postfix/smtpd[80576]: NOQUEUE: reject: RCPT from unknown[222.122.52.102]: 554 msgtrap2@gmail.com: Relay access denied; from=testusrrr@dialin-relay.mx.genotec.ch to=msgtrap2@gmail.com proto=SMTP helo=dialin-relay.mx.genotec.ch
It’s not new to me how spammers dig for open SMTP relays. I wonder though that their providers wouldn’t notice such an obvious thing like “msgtrap2@gmail.com” by its name and pay attention to it.
Even though we don’t have millions of mailboxes at my company, regurlar pattern matching is run against our database to find the more obvious ones.
Maybe it won’t do any harm to anyone if IP addresses that try unauthorized relaying in globo were to be blacklisted right away.
June 4th, 2006 at 3:22 am
I actually wonder if perhaps Google is just checking mail servers for open relays in order to build a blocklist at gmail.com. I’ve seen this exact same relay attempt by msgtrap2@gmail.com in 2 different mail servers I manage both within the past couple of days!
June 4th, 2006 at 9:29 am
This is very unlikely because of three reasons:
#1 the source IP is from KORNET (Korea)
#2 the source IP lacks a dns reverse pointer
#3 Google confirmed this beeing a user account
In general one could assume Google would not use
a korean IP address even if they did a search for open relays.
October 31st, 2006 at 4:16 pm
Hey there bud. This actually has nothing to do with this current article. Rather, I thought I’d share a funny story.
So today, one of my buddies sent me a link to your site. Specifically, an April 06 entry.
And yeah, I just wanted to congratulate you on killing my old seed e-mail account awhile back(msgtrap2).
I use it to test the effectiveness of spam blacklists (njabl, spamhaus, spamcop, you name it), and yeah. I was quite impressed that someone finally noticed and did something about it.
I’m sure you’ll be happy to know, the gmail did eventually disconnect the account, an action that had not occured before or since. Of course, it didnt take long to get a new one (yay gmail spoolers), but still. Impressive.
And before you hop on that whois site, I feel you should know that yes, this server is not home computer. It’s from a friend’s server(yes, it is spam blacklisted). Regrettably, these are the only types of computers I can test from. Also, before you say it, I’m pretty aware that this type of activity can be somewhat bothersome, but as far as I know at least, it doesnt do a lot of real harm.
I’ll check back, see if you respond.
Adios
October 31st, 2006 at 4:24 pm
Well, thank you for your feedback on that matter.
I’m sure others have noticed this before, too.
Most of them if not all surely have not paid too
much attention to it.
There’s a lot of crap email traffic these days…
October 31st, 2006 at 9:35 pm
yeah. The scanners have no been going for almost an entire year. Only msgtrap2 has been shut down. Despite how openly available the e-mail address was, no one has ever sent a complaint e-mail. I just thought it was interesting to see. And also, by the way, I can say with relative certainty, that I am probably the only person who scans with any real intensity who is left. Spammers don’t really use open relays frequently anymore.