Welcome to Part 3 of our series of blog posts dissecting each of the datasets available as part of Abusix Mail Intelligence. This time we’re looking at our Exploit IP list.
How the Exploit IP List is being built:
This list is 100% automated. I call it our “behavioral” blacklist because it’s looking at all of our SMTP inputs (not just traps) and it observes the behavior of the SMTP client and SMTP transaction and will list IPs behaving in a way that a regular SMTP server never would.
Some examples include:
- The SMTP client identifies itself as a host that we know it is not.
- The SMTP client authenticates to our trap network.
- The SMTP client is sending messages that seriously breach the email RFCs.
- The SMTP client has a signature of known spamware (e.g. Sendsafe).
- We’ve observed the IP submitting web forms to multiple hosts containing spam.
Reasons for being listed & how to avoid getting listed on our Exploit IP List:
Common reasons for being listed in our exploit list:
- Compromised or infected hosts (e.g. PCs, laptops, servers, routers, IoT devices).
- Shared IP being used by Compromised or Infected hosts (e.g. VPN, NAT, TOR, etc.).
- In very rare cases, misconfigured SMTP servers.
Compromised or Infected hosts
Keep your devices up-to-date with the latest software, firmware, patches, and plugin updates. Make sure you run Anti-Virus.
Currently, the most common compromises we see are from Windows PCs, Mikrotik routers, and WordPress. All of these could be avoided if they were kept up to date with the latest patches, firmware update, plugins etc.
Many infections bypass any local SMTP server and implement their own SMTP client and they talk directly to MX over 25/tcp, so are more difficult to detect. This also ensures that they bypass any rate limits, so considerable amounts of mail can be sent.
Shared IPs
If your mail server uses an external IP that is part of a NAT pool and the internal clients are not blocked from making outbound connections on TCP port 25, then the IP could become listed if one of the NAT IPs is allocated to an infected device.
It is always recommended to prevent 25/tcp outbound to all but SMTP servers. You should also not place an SMTP server on the same external IP used by a NAT pool, SMTP servers should always be on their own external IP.
For TOR or VPN users, it could be that the external IP that has been allocated is being shared by multiple users and some have been sending spam, malware or a connected user has an infected PC. For VPN users, switching to a different server or reconnecting is usually all that is needed to receive a new IP.
Misconfigured SMTP servers
Make sure the hostname of the server is set correctly (e.g. not “localhost.localdomain”) and the domain used actually belongs to you. If you’re going to use an internal domain name, make sure it doesn’t use a public TLD as someone else might register it.
Also, make sure you aren’t breaching the SMTP RFCs by removing Received headers. This is very bad practice, it does not provide any additional security, makes troubleshooting much more difficult and your messages are far more likely to be treated as spam and you could get listed.
Hope that is useful.
Until next time – stay safe.
Steve
