Regarding the recent remote exploit for Exim. I had an idea and I wasn't sure if it was crazy. The idea was to scan port 25 across the entire Internet looking for Exim installations of version <= v4.69 by inspecting the welcome banner, then later alerting the maintainers of these systems about the problem and telling them to upgrade.
People don't like having their networks scanned though so rather than going through each IP in a normal linear ascending order. Eg: 1.2.3.253 1.2.3.254 1.2.4.1 I reversed the octets and did it in an order like this: 253.3.2.1 254.3.2.1 1.4.2.1 So if you have a /24, it wont be scanned in a few seconds, it will be scanned over weeks instead. In a 24 hour period, I managed to cover all of: x.x.x.1 x.x.x.2 x.x.x.3 x.x.x.4 And most of x.x.x.5, from a single VPS at linode.com. Linode received a couple of abuse reports from AT&T and Bytemark though, so asked me to stop the scan, and I did. A couple of abuse reports from 1/50th of the Internet isn't exactly a lot but apparently Linode don't like receiving them. In that space, I found 186,538 IPs with an MTA listening. 24,870 had " Exim \d\.\d+ " in their welcome banner. (ie, about 13%). For the Exim 4 installations, we have the following: 18,761 v4.69 3,665 v4.68 and below ( 1,400 v4.70 and above So the vast majority of installations (94%) are vulnerable to the remote exploit. Or at least they were a couple of days ago. Interestingly, there were also 437 IPs with v3.x on them, and even 1 in Japan claiming to be running v2.05. Anyway, I'm probably not going to do anything with the data that I collected because it's far from complete. I thought I'd just mention it here because some of the figures are interesting and I believe the pool of IPs I scanned was large and varied enough to make the data trustable. I'd be interested in working on a project to gather this data on a monthly basis and produce similar results to that produced by the Netcraft Web Server survey. I don't have the hardware/connectivity to do it though. -- Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
