Mailing List SIMS@mail.stalker.com Message #13869
From: Bill Cole <listbill@scconsult.com>
Subject: Re: AOL open relays
Date: Fri, 24 Oct 2003 15:58:24 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 3:09 PM -0400 10/24/03, Clement Ross  imposed structure on a stream of electrons, yielding:
Is AOL known to have open relays?

I received SPAM with the following "Received:" headers today:

Received:  from ACB205A4.ipt.aol.com ([172.178.5.164] verified) by
octave.hexact.net (Stalker SMTP Server 1.8b8) with SMTP id S.0000142894
for <clement@hexact.net>; Fri, 24 Oct 2003 14:55:42 -0400
Received:  from tlcfan.com [22.215.193.235] by ACB205A4.ipt.aol.com
(Postfix) with ESMTP id DB585285CEEB for <clement@hexact.net>; Sat, 25
Oct 2003 05:39:16 +0000

22.215.193.235 is from the DoD and 172.178.5.164 is allocated to AOL.

Or maybe the Received header from 22.215.193.235 was forged?

Yes, it is. 22.* machines are in fact quite unlikely to ever be speaking to the Internet at large.

The AOL hostnames consisting of 8 hex digits (0-9A-F) are individual AOL user machines on dynamic addresses, i.e. dialups. You can see a rundown of those ranges here: http://postmaster.info.aol.com/servers.html

It looks like this is a case of one AOL user getting around the normal connection hijacking that AOL has in place for any dialup user trying to make direct SMTP connections to the outside world. I've seen it before and even discussed it with relevant AOL staff, but they don't seem to have a handle on how it is happening or how to stop it. I suspect that it is a case of split routing tricks where the machine on that address has 2 interfaces with one on an AOL dialup, and is sending out packets with the AOL address on the other, unfiltered, interface. AOL has been told of the potential for that but I have never heard them state whether they have taken or intend to take the steps necessary to stop that.

AOL has essentially said that they don't want any users of 172.128.0.0 - 172.211.255.255 to be directly connecting to outside mail servers. Anyone with a mail server should consider adding that range to the local blacklist to catch the incidents where AOL's technical steps to prevent such connections break down.


--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster