Pentagon Email Relays Found
by Doctor Electron
No, the author is not writing this from a prison cell. Yes, email relays -- like spammers might use -- were found on Pentagon computers and other U.S. military networks.
A net census of computers connected to the internet might well include Simple Mail Transfer Protocol (SMTP, RFC 821) servers that accept connections from email client programs on default port 25. We started with (1) computers accepting internet connections on port 25 and developed (2) an estimate of the number of mail relays in the world today.
5119 hosts, or 0.66% of randomly selected addresses from 1.0.0.1 to 218.255.255.254 (excluding local host 127.x.y.z), established connections on port 25. 775,606 (5119 / 0.66%) packets to random addresses were required to find these 5,000 plus open ports.
Other results by the author [papers in preparation] may provide context. Data collected thus far show that observed response rates for common services were: 1% for ICMP Echo, 0.76% for FTP port 21, 0.67% for telnet port 23, 0.66% for SMTP port 25, 0.60% for NetBios port 139, 0.52% for HTTP port 80, 0.47% for HTTPS port 443 and 0.37% for SSH port 22.
Now we estimate the population. The address space considered has about 3.6 billion possibilities (3,612,213,248 = 217 x 256 x 256 x 254). Thus, 0.66% x 3.6 billion is a little more than 23.8 million addresses where a system listening on port 25 might be found.
With virtual IP address technology, probably there are not nearly as many as 23.8 million different machines in this estimated population of addresses. Indeed, entire domains including hundreds or in some cases thousands of addresses may be directed to a single SMTP server. But these considerations do not change our estimate of how many addresses will accept connections on the SMTP port 25.
3352 of the 5119 connections produced banners. 124 of these cases did not have functional SMTP servers, leaving 3228 servers (3352 - 124). This 3228 of the 5119 connections suggests that 63% of the connections have working SMTP servers implemented. Hence, we estimate about 15 million (0.63 x 23.8 million) mail server addresses presently world-wide. Many of the other 37% of the connected computers may be just listening to see who might stop by to chat and what they might say.
Many of the 3228 hosts politely stated that the client test program was not authorized to connect. However, 2663 servers were willing to talk, indicated by the 220 response code. This lab attempted to send "relay" mail in each case.
With random sampling of IP addresses, there was no bias in data collection concerning variables like geographic location, country, organization, etc. A reverse DNS lookup for each established connection showed that a minority, 1204 of the 3252 hosts (37%), have DNS entries for their host name. However, most of the others provide their host name in the 220 introductory banner. Thus, for both white-hat and black-hat hackers, port 25 may provide easily obtained information on host identity.
Using only the reverse DNS lookup and the SMTP banner self-identification to define domain categories in the data set (e.g., .com, .net, all other countries, etc), the largest operator of SMTP servers was found to be the U.S. military, followed by .com, .net, .org, .edu. and .gov.
Statistical analysis revealed that the .com and .net sites both showed significantly more 220 responses and less listening connections (which send no data) than expected by chance. The .mil and .gov connections showed the inverse pattern: significantly less 220 responses and more listening connections than expected by random distribution of the data. Further, the .mil and .org connections showed greater interest in authorization.
Clearly, there are two types of domains. The .com and .net domains appear to be more concerned with receiving mail (the 220 responses), compared to authorization and listening. On the other hand, for the .gov and .mil connections, there was relatively more emphasis on listening. Many of the listening connections may be the crudest types of honeypot situations.
Email Test #1, used in the present study, was conducted as follows:
POP3 Logon = none HELO, MAIL = yourIPaddress FROM = postmaster@yourIPaddress RCPT = TO foreign, valid address SUBJECT = Mail Test #1 of yourIPaddress where "yourIPaddress" was the randomly selected IP address.Notice that the sender was portrayed as local to the server, namely its own postmaster.
If the SMTP server allowed mail to be sent, the text of the message was:
From: postmaster@yourIPaddress To: freepress@myrealbox.com Reply-to: postmaster@yourIPaddress Subject: Mail Test #1 of yourIPaddress This message was sent to test your SMTP server. IF we receive this message, your server may be open to abuse. And we will notify you by return email. Please direct any questions to freepress@myrealbox.comNote that this method identified Net Census with one of its valid email addresses in both the RCPT TO field and in the body of the message. An important methodological and ethical point is that the research entity should always identify itself.
Most SMTP servers rejected the email relay test #1, but not all.
343 servers simply disconnected, perhaps not liking the looks of our client IP address. Our client issued the HELO command using the IP address of the SMTP server as its identity, which was rejected by 23 servers.
For the remaining 2297 servers, our client sent "MAIL FROM:<postmaster@[serverIPaddress]>", which was rejected by 933 servers. It was somewhat comic that many replied that they did not know their own postmaster.
Next, the "RCPT TO:<freepress@myrealbox.com>" command was accepted (250 response) by 253 of the 1364 remaining servers. At this point in the protocol, some 1111 servers threw in the towel. The server had (1) the client IP address from the TCP packets, regardless of what it was told in the steps above, and now (2) that the recipient of the mail was not a local user, but rather a foreign address at a valid domain. Most servers stated that relay mail is not allowed.
The magic 354 response to the client "DATA" command indicated that 176 servers were ready to accept email header and body text presented above. 174 connections accepted the email with the 250 response. Most of 174 apparently successful relay emails submitted may not have been actually sent, since 50 emails were actually received. Some of these sessions may have been with fake servers (honeypots) or the mail may not have passed later screening by the hosts.
At the outset, we estimated 15 million addresses with SMTP servers accessible based on a sample of 3228 connections suggesting operating servers. With the present data and using the more conservative value of 50 relayed emails actually received, 50 of 3228 or 1.55% were demonstrated to be email relays.
Thus, we can estimate about 232,500 (0.0155 x 15 million) email relays -- almost one quarter million. No wonder there is so much spam.
For almost all of the relayed emails received by the author, it was possible to reply to the responsible persons of the systems affected to notify them of the email relay test result.
Considering the 174 relay emails accepted by SMTP servers, the most common domain types were: .com (n = 87), .mil (n = 51), other countries (n = 39), .edu (n = 12) and .net (n = 9). Thus, the biggest email relay operators appear to be commercial (.com) and the military (.mil).
Considering the 50 relay emails actually received, the major relays were .com (n = 22), other countries (n = 17) and .mil (n = 6).
124 of the 174 relay mails accepted for sending were not received, perhaps because of post-hoc screening by the host. From the values above, this possible screening was greatest for .mil (88%) and .com (75%) and least for other countries (56%).
Given the large number U.S. military networks and email servers, it was somewhat puzzling that four of the six relay emails received from .mil servers were relayed through the Pentagon. An email address was found for the responsible parties at the Pentagon to provide notification and explanation of the test results. By the time the fourth relay email was received as a result of the random sampling procedure, it was found that even this previously valid contact email address had been closed.
This case study of SMTP servers illustrates how random sampling may be used to estimate population parameters in internet research. The data collected was used to estimate the number of IP addresses with SMTP servers accessible and finally the number of open email relay addresses.
The email test #1 used in this study is one variation of a variety of procedures that could be used to send relayed email. Therefore, strictly speaking, the email relay estimate calculated in this report applies to the specific method used.
Copyright 2002 Global Services
Last Modified: July 28, 2002
Read the full article
Back to Net Census