Mailing List Message #13869
From: Bill Cole <>
Subject: Re: AOL open relays
Date: Fri, 24 Oct 2003 15:58:24 -0400
To: SIMS Discussions <>
At 3:09 PM -0400 10/24/03, Clement Ross  imposed structure on a stream of electrons, yielding:
Is AOL known to have open relays?

I received SPAM with the following "Received:" headers today:

Received:  from ([] verified) by (Stalker SMTP Server 1.8b8) with SMTP id S.0000142894
for <>; Fri, 24 Oct 2003 14:55:42 -0400
Received:  from [] by
(Postfix) with ESMTP id DB585285CEEB for <>; Sat, 25
Oct 2003 05:39:16 +0000 is from the DoD and is allocated to AOL.

Or maybe the Received header from was forged?

Yes, it is. 22.* machines are in fact quite unlikely to ever be speaking to the Internet at large.

The AOL hostnames consisting of 8 hex digits (0-9A-F) are individual AOL user machines on dynamic addresses, i.e. dialups. You can see a rundown of those ranges here:

It looks like this is a case of one AOL user getting around the normal connection hijacking that AOL has in place for any dialup user trying to make direct SMTP connections to the outside world. I've seen it before and even discussed it with relevant AOL staff, but they don't seem to have a handle on how it is happening or how to stop it. I suspect that it is a case of split routing tricks where the machine on that address has 2 interfaces with one on an AOL dialup, and is sending out packets with the AOL address on the other, unfiltered, interface. AOL has been told of the potential for that but I have never heard them state whether they have taken or intend to take the steps necessary to stop that.

AOL has essentially said that they don't want any users of - to be directly connecting to outside mail servers. Anyone with a mail server should consider adding that range to the local blacklist to catch the incidents where AOL's technical steps to prevent such connections break down.

Bill Cole

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster