メールサーバーへのスキャン

メールサーバーへのスキャン(2004-3-31)

smtpポートにコネクトだけかけている記録が昨晩21:00から本日の10:00になっても延々と記録されています。メールを送るわけでもないし変なやつ。新種のウイルスに感染したマシンがDoS攻撃をしているような感じです。そこにsmtpでつなぐと拒絶されます。臨時に
220.104.XXX.XXX REJECT
としました(/etc/mail/access)。あまり続くようならipfで拒絶しようと思います。

10:16 拒絶しました(/etc/ipf.rules)。このアドレスを管理しているOCNのabuseにもログを添えて通報。
block in log quick from 220.104.XXX.XXX/32 to any
(上で実際にはXXXはアドレスです)

拒絶してわかったのですがこれ以外にも同じような挙動をしているものを数件発見しました。拒絶したアドレスからは1秒数回の割合で絶え間なく来ているのですが、発見した残りのものはそれほどでもなくパラパラという感じです。OCN丸の内、mesh.ad.jp、bbtec.net、plala.or.jp、某大手企業などから。

これがログに記録されている箇所です。(ブロックしたあとのものなので沢山来ているときのものは記録されていません）

Mar 31 14:37:50 mail sendmail[1746]: i2V5bo2R001746: [203.252.156.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 15:08:53 mail sendmail[383]: i2V66w30000383: [61.130.163.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 16:29:45 mail sendmail[495]: i2V7RjbU000495: smtp-send.xxxxxxxx.com [192.108.102.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 17:38:36 mail sendmail[1577]: i2V8anV7001577: [218.79.244.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 17:38:36 mail sendmail[1590]: i2V8cAuP001590: hcc3d73d7d6.XXX.ne.jp [XXX.XXX.215.214] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 19:30:36 mail sendmail[3172]: i2VAUagd003172: [211.12.XXX.X] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 20:28:10 mail sendmail[3744]: i2VBQ2xs003744: smtp-send.xxxxxxxx.com [192.108.102.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 20:31:30 mail sendmail[3981]: i2VBUj95003981: [211.12.XXX.X] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 20:36:42 mail sendmail[4171]: i2VBaPSU004171: [211.12.XXX.X] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 20:40:35 mail sendmail[4219]: i2VBcF1a004219: [211.12.XXX.X] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 20:40:35 mail sendmail[4242]: i2VBeHZT004242: [211.12.XXX.X] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 22:00:06 mail sendmail[5091]: i2VD05A3005091: [211.178.16.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 22:27:18 mail sendmail[5318]: i2VDQkjr005318: 039.c.XXX.mel.iprimus.net.au [203.134.135.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 22:53:48 mail sendmail[5750]: i2VDpXLt005750: smtp-send.xxxxxxxx.com [192.108.102.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 23:02:20 mail sendmail[5762]: i2VDq2eB005762: ns.XXXXX.co.jp [202.32.193.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 31 23:07:15 mail sendmail[5889]: i2VDvI9R005889: ns.XXXXX.co.jp [202.32.193.XXX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

同じようなアッタックを受けている方はログ(/var/log/maillog)が膨れあがってディスクが一杯になるのにご注意。

当社は別のマシンでメールサーバーの監視をしているのですがポート25に繋いで、すぐ切断するという方法をしています。そのような場合ログ (/var/log/maillog) にはこれと全く同じものが記録されます。

ウイルスができそこないのDoSアタック(アタックのつもりだけどたいした被害を与えられない）をしているのだと考えています。

こういう監視というものは5分に一回とか30分に一回とかかなりの時間を置いて行われるので1秒に何回も来るというのは監視の目的とは思われません。（そもそも人様のサーバーを監視してどうなるんじゃー）

追補：

4月19日に再調査をしましたが自社の監視システムからの記録しかありませんでした。とりあえず落ち着いたようです。いろいろネットを調べているのですがこれに合致した情報が見つかりません。

そのかわりにdid not issue MAIL/EXPN/VRFY/ETRN をキーワードとして探した結果このページにたどりついたという記録が海外を含めて多数あります。どこでもそのような現象が出ているようです。活動が一番盛んだったのがNetSky.Qと同じ時期だったのでたとえばアドレス帖が無い場合には単に適当なサーバーに繋ぐだけというような変な動作をしていたのかも。（あくまでも想像ですが）

4月21日に再々調査をしたらまたありました。今回は1秒間に何回もというわけではなくポツポツ。おっと Apr 20 03:01:01は二回来ています。やはりウイルスなんでしょうかね。

Apr 20 03:01:01 mail sendmail[878XX]: i3JI0aSe087898: CM64-iqui2-187-XXX.cm.vtr.net [200.86.187.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 03:01:01 mail sendmail[878XX]: i3JI0aqm087897: CM64-iqui2-187-XXX.cm.vtr.net [200.86.187.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 04:01:01 mail sendmail[150XX]: i3JJ0eva015001: [218.73.149.2XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 04:56:28 mail sendmail[434XX]: i3JJuSRo043498: [195.174.215.2XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 06:31:14 mail sendmail[617XX]: i3JKVE7P061726: adsl-XXX-180-65.aep.bellsouth.net [68.215.180.XX] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 07:05:16 mail sendmail[100XX]: i3JM4hhr010076: XXX-222-150-128.abhsia.telus.net [66.222.150.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 07:30:59 mail sendmail[231XX]: i3JMULjn023144: [66.90.79.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 10:15:30 mail sendmail[63XX]: i3K1FTkq006330: XX-XX-148-217.cable.ubr04.enfi.blueyonder.co.uk [82.35.148.2XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 14:51:09 mail sendmail[635XX]: i3K5p9Nh063565: [61.11.37.2XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 16:30:55 mail sendmail[649XX]: i3K7UKHR064932: YahooBB21902205XXX.bbtec.net [219.22.50.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 16:51:22 mail sendmail[651XX]: i3K7pK5H065191: ACB44XXX.ipt.aol.com [172.180.75.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 18:01:49 mail sendmail[663XX]: i3K91mfd066391: [65.75.166.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 21:44:18 mail sendmail[691XX]: i3KCi4Vw069126: cmr-xx-xx-xx-xx.telecable.es [83.97.164.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 22:19:39 mail sendmail[695XX]: i3KDIlhV069527: XXXX.mi.dial.hexcom.net [216.234.98.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 22:57:10 mail sendmail[692XX]: i3KCv92a069283: XXXX.adsl.highway.telekom.at [62.47.160.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 23:30:58 mail sendmail[705XX]: i3KEUZO1070538: XXXXx.dialsprint.net [65.181.16.2XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 20 23:30:58 mail sendmail[705XX]: i3KEUDiY070537: XXXXX.ipt.aol.com [172.207.221.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 00:18:51 mail sendmail[711XX]: i3KFIoMh071189: [80.14.145.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 00:40:02 mail sendmail[714XX]: i3KFe0vf071413: xx-231-XX-33.dynamic.hinet.net [61.231.82.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 01:52:21 mail sendmail[722XX]: i3KGqKjZ072232: [80.14.71.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 02:42:10 mail sendmail[733XX]: i3KHgANZ073335: [81.48.154.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 02:49:26 mail sendmail[733XX]: i3KHnQ3s073387: [81.250.201.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 04:07:58 mail sendmail[744XX]: i3KJ7vaF074434: [83.112.56.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 04:58:02 mail sendmail[748XX]: i3KJw09f074873: [66.50.11.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 05:53:36 mail sendmail[753XX]: i3KKrG6l075342: [219.95.221.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 09:05:35 mail sendmail[774XX]: i3L05Fex077492: [218.4.244.2XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 09:11:28 mail sendmail[775XX]: i3L0B49w077593: XXXX.ap.plala.or.jp [219.164.31.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 13:28:52 mail sendmail[914XX]: i3L4JUZC091448: xxxx.xxxx.ap.so-net.ne.jp [202.238.101.1XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Apr 21 15:18:01 mail sendmail[934XX]: i3L6HZL1093451: [61.138.115.XX] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA