What I cannot figure out is how they would determine an open relay with probes to ports 8081, 8080, 8000, 6588. 4480, 3128, 1180, 1080 and 81. It almost looks like someone scanning for an open proxy.
That's exactly what they're doing - most of the spam you get these days that looks like it comes from DSL or cable users in fact is sent through an open proxy. The sensible thing would be for the DSL and cable companies to scan their own customers regularly (or block the usual ports and only open them for individual users on an exception basis, if at all).
This reverse probing appears to have started in earnest fairly recently. It strikes me as a fairly destructive thing to do - at best it will create a lot of extra traffic for each connection to the mail server (more than DNSBLs, for instance), at worst it's going to cause problems for machines that have other, legitimate applications that just happen to be on those ports.
It will also adversely affect the server when they probe a site that has those ports silently bitbucketed at the firewall, since the mail server will take 120 seconds to time out on each of the 10 probes (unless they are initiated in parallel). You don't want a mail process sitting around for 20 minutes for a single piece of incoming mail.
___________________________________________________________________________
WARNING: DO NOT add my email address to any mailing list or
database without my PRIOR, EXPLICIT permission.
Fight spam in Australia - Join CAUBE.AU - http://www.caube.org.au/
Troy Rollo, Technical Director, CorVu Australasia [EMAIL PROTECTED]_______________________________________________
spamcon-general mailing list
[EMAIL PROTECTED]
http://mail.spamcon.org/mailman/listinfo/spamcon-general#subscribers
Subscribe, unsubscribe, etc: Use the URL above or send "help" in body
of message to [EMAIL PROTECTED] Contact administrator: [EMAIL PROTECTED]
