Why?
Why does dnsbl.net.au do this testing?
A huge amount of the spam email entering our network, originates from
internet servers with poor security. If the administrators of those servers
cleaned up their security, everyone would get less spam.
We test so that we can decide to refuse to accept email from other mail
servers which have poor security, or maybe have been hacked into, or are maybe
relaying open relay spam.
We used to notify system administrators of mail servers with poor security, but we don't anymore.
There are just way too many of them.
And such servers are often so poorly configured, no-one got the warning emails anyway.
Why are there so many tests carried out?
We are forced to test for many security issues, as they are currently being
exploited by spammers to send spam. We don't test for security holes for fun, and
generally only automate the tests to test for those security issues, which are
being exploited.
Se this log report, which is carried out by another
security scanning testing service located at njabl.org, to see the range of smtp tests they perform.
Any one of those tests can be exploited and used to relay spam.
We currently carry out similar tests to those details on that report.
When?
When are repeat tests carried out?
Tests are scheduled to be carried out on the servers detailed in the who section,
with a frequency as per the table below.
Depending upon the results of any recent tests, these tests are carried out
infrequently, and not more often than 14 days apart.
Pending these testing periods, we test and retest as often
as required, but not so often as to cause any disruption.
Relay Server Scanner
| TIMEOUT | 30 days | Timeout refers to a network, server, or any other sort of system timeout. |
|---|
| BAD | 60 days | Bad means that the server under test accepted an email, for later processing or delivery. |
|---|
| OPEN | 90 days | Open means that the test message was relayed back to us, which means the server is OPEN RELAY. |
|---|
| REFUSED | 120 days | Refused means that the server under test refused to accept any sort of email, or test. |
|---|
| GOOD | 150 days | Good means that the server is accepting normal email, but outright refusing to even accept for consideration, the delivery of non-local messages. |
|---|
Proxy Server Scanner
| timedout | 14 days | Timeout refers to a network, server, or any other sort of system timeout. |
|---|
| openhttp | 28 days | Server is an open http server |
|---|
| openwingate | 28 days | Server is an open wingate server |
|---|
| opensocks | 28 days | Server is an open socks server |
|---|
| closed | 56 days | Server has good security, having passed these tests previously. |
|---|
How?
We use publicly available, unix, perl based, security testing scripts.
How does the Relay Server Scanner work?
What this script does, goes like this:
1. connect to port 25, the smtp port, on the server under test.
2. present a range of different From: and To: address formats.
3. Try to get a message delivered back to a known email address.
If the server under test refuses to relay a message back, then it is not
an open relay server, which is good.
If the server accepts the test message, it may choose to drop it, or maybe
deliver it to the intended recipient, or it may relay it to the local system admin.
If is does arrive back at the intended recipients address, then that server
under test, is open relay, with poor security, and a major problem.
How does the Proxy Server Scanner work?
What this script does, goes like this:
1. connect to to the server under test, on normal ports, 3128, 23, 80, 8080 etc.
2. instruct server to connect back to a known location, within our network, without any passwords.
3. If the server under test does as instructed, and we see our test banner, the server has failed the security tests.
Who?
Who authorised you to test my server?
You did, by attempting to send email into our network.
When you connected to any of our mail servers, you automatically
granted consent to be security audited.
If you do not want your servers tested, do not attempt to send email
into our network, or to connect to any of our mail servers on port 25.
Every connection to any of our mail servers results in the following
message (or similar) being sent back to your server ...
telnet mail.dnsbl.net.au 25
Trying 203.56.255.6...
Connected to mail.dnsbl.net.au.
Escape character is '^]'.
220 mail.dnsbl.net.au ESMTP Sendmail 8.11.6/8.11.6; Mon, 18 Aug 2003 12:06:22 +0800.
You have automatically granted consent to be security audited by connecting to this server,
as per http://dnsbl.net.au/testing/
Who do we test?
We test a range of servers:
1. all servers which send email into our network. Without fear or favour to any other
company or organisation. We don't care who you are, or why you're sending email
to us, or our clients, or our clients clients. If you don't want your smtp
server scanned by our security scanner, please don't send email into our network.
2. we monitor the relevant newsgroups also known as NANAE and NANAS for spam samples,
and trawl those messages for IP addresses. Any IP address found in any of those
spam samples is tested. The spam sample which triggered the test is available for
a few weeks/months, within our database.
3. we accept nominations for likely mail servers to test, from a variety of
third party sources, including spamcops. We note where the suggestion came from,
carry out the tests, and record the results of any failures along with the source
information.
4. we use a variety of external DNSBL lists, and automatically scan the security
of all servers which are listed on those lists, where we rejected their email due
to the originating server being on that third party, external DNSBL list.
Who else does these sorts of tests?
Road Runner Probing : http://sec.rr.com/probing.htm
NJABL.ORG Not Just Another Bogus List
america online aol.com
email message warning of test failure
Who can I contact at dnsbl.net.au?
Our details are all over this web site, so feel
free to email, fax or phone us if you require more information, that is not answered here.
We will refer all queries to this page, so please, read it a few times before trying to
contact us.
abuse@dnsbl.net.au has no spam blocks attached, so all email should get through to that address.
Spam sent to that address will be automatically added onto our arbitrary boycott list, rmst.dnsbl.net.au
Where?
Where do we test from?
One server only - 203.56.255.11
That server has a reverse DNS of securityscan.dnsbl.net.au
Where is dnsbl.net.au located?
Australia.
What?
What do we do with the information we discover?
Well, if we receive spam from email servers
which our tests subsequently show to be open relay, we automatically nominate that
mail server to all other world-wide blacklists who are interested to carry out their
own tests, and then also blacklist them worldwide.
What do we do with the information we discover?
We also add the details of the open relay
server in question, into our local block list. That prevents us from receiving further
open relay spam from those mail servers. It may also stop legitimate email, but that is the
price we pay. All blocked email results in an error message being delivered back to the
sender, which gives them a pointer to a web page, which explains why their email was blocked.
What bandwidth and network resources are consumed to carry out these tests?
To carry out our tests, a small fraction of bandwidth is consumed,
of that which is consumed by the spammers who abuse an open relay mail server. To be more
exact, a few kilobytes overall.
