I was suspicious as to why I would see an attempt to send email to this mailing list, so I followed up on what I found. The entry in the maillog file was as follows except the mailing list address has been changed:
Feb 15 00:00:14 frostdragon sendmail[4401]: k1F50C9G004401: ruleset=check_rcpt, arg1=<lpx_2005-list@cargosecurity.us>, relay=[:], reject=550 5.7.1 <lpx_2005-list@cargosecurity.us>... Mail from 211.32.91.234 refused - see http://opm.blitzed.org
When I performed a whois search at American Registry for Internet Numbers (ARIN) on the IP address of the system attempting to deliver email to my server, I saw the following:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
Since ARIN indicated that the address falls under the Asia Pacific Network Information Centre (APNIC), I went there and performed another whois query. From what I found there, it appears the IP address belongs to an ISP in Korea.
inetnum: 211.32.0.0 - 211.32.255.255
netname: BORANET-NET-211-32
descr: DACOM Corp.
descr: Facility-based Telecommunication Service Provider
descr: providing Internet leased-ine, on-line service, BLL etc.
country: KR
admin-c: DB50-AP
tech-c: DB50-AP
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: hm-changed@apnic.net 20021025
status: ALLOCATED PORTABLE
source: APNIC
role: DACOM BORANET
address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku, Seoul
country: KR
phone: +82-2-2089-7755
fax-no: +82-2-2089-0706
e-mail: ipadm@nic.bora.net
e-mail: abuse@bora.net
e-mail: security@bora.net
admin-c: EC115-AP
tech-c: SIJ1-AP
nic-hdl: DB50-AP
mnt-by: MNT-KRNIC-AP
remarks: IP address administrator group of NIC team, DACOM Corp.
remarks: If related with spam, send mail to abuse@bora.net
remarks: If related with security, send mail to security@bora.net
remarks: Only for whois information correction, send mail to ipadm@nic.bora.net
changed: jeonsi@bora.net 20041105
source: APNIC
When I used blq to check on blacklists the IP address might be on, I found the following:
# ./blq all 211.32.91.234
211.32.91.234 : sbl.spamhaus.org : ok
211.32.91.234 : relays.visi.com : ok
211.32.91.234 : dialups.visi.com : ok
211.32.91.234 : relays.ordb.org : ok
211.32.91.234 : dnsbl.njabl.org : ok
211.32.91.234 : dnsbl.sorbs.net : ok
211.32.91.234 : blackholes.five-ten-sg.com : BLOCKED
211.32.91.234 : bl.spamcop.net : ok
211.32.91.234 : hil.habeas.com : ok
211.32.91.234 : cbl.abuseat.org : BLOCKED
211.32.91.234 : psbl.surriel.com : ok
211.32.91.234 : ipwhois.rfc-ignorant.org : ok
211.32.91.234 : opm.blitzed.org : BLOCKED
211.32.91.234 : wingate.opm.blitzed.org : ok
211.32.91.234 : socks.opm.blitzed.org : ok
211.32.91.234 : http.opm.blitzed.org : ok
211.32.91.234 : list.dsbl.org : BLOCKED
211.32.91.234 : multihop.dsbl.org : ok
211.32.91.234 : unconfirmed.dsbl.org : BLOCKED
211.32.91.234 : blackholes.mail-abuse.org : ok
211.32.91.234 : dialups.mail-abuse.org : ok
211.32.91.234 : relays.mail-abuse.org : ok
I ran a basic proxy test with pxytest, a Perl utility that scans a system to determine if it is functioning as a proxy server.
# ./pxytest -v2 211.32.91.234
Testing addr "211.32.91.234" port "80" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "80" proto "http-post" ... cannot connect
Testing addr "211.32.91.234" port "3128" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "8080" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "8080" proto "http-post" ... cannot connect
Testing addr "211.32.91.234" port "8081" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "1080" proto "socks4" ... cannot connect
Testing addr "211.32.91.234" port "1080" proto "socks5" ... cannot connect
Testing addr "211.32.91.234" port "23" proto "telnet" ... cannot connect
Testing addr "211.32.91.234" port "23" proto "cisco" ... cannot connect
Testing addr "211.32.91.234" port "23" proto "wingate" ... cannot connect
Testing addr "211.32.91.234" port "6588" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "1180" proto "socks4" ... cannot connect
Test complete - no proxies found
The pxytest proxy test program did not report the system was running proxy server software on any of the common proxy ports it tests. When I queried the opm.blitzed.org site for information on why the system was listed in its blacklist, though, it showed port 31453 being used for the proxy service (see details). The proxy service is, or at least was, being run through a SOCKS proxy.
I checked port 31453 on the system with nmap. I didn't get a response initially to the nmap scan. I tried pinging the system, but got no response, so then I tried scanning ports 80 and 31453 with nmap not trying to ping it, but there was still no response. The system may have been taken off-line because it was being used to transmit spam or the problem may have been otherwise addressed.
$ nmap -p 31453 211.32.91.234
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 60 seconds
$ ping 211.32.91.234
PING 211.32.91.234 (211.32.91.234) 56(84) bytes of data.
--- 211.32.91.234 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5013ms
$ nmap -P0 -p 80,31453 211.32.91.234
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (211.32.91.234):
Port State Service
80/tcp filtered http
31453/tcp filtered unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 36 seconds
References:
Created: February 21, 2006