Path: koobera.math.uic.edu!djb
From: djb@koobera.math.uic.edu (D. J. Bernstein)
Message-ID: <1996Nov2908.51.00.17895@koobera.math.uic.edu>
Date: 29 Nov 1996 08:51:00 GMT
Newsgroups: comp.security.unix,comp.mail.misc,comp.mail.sendmail
Subject: Internet host SMTP server survey
Organization: IR

I have a list of 12795635 IP addresses. To build this list, I combined
(1) the IP addresses found in the July 1996 Network Wizards DNS walk,
(2) the glue IP addresses listed in the InterNIC zone files, and (3) the
results of MX/A lookups for domains listed in the InterNIC zone files. I
removed duplicates and excluded {0,1,10,127}.*.

In the early morning of 27 November 1996, I selected a random sample of
500000 addresses and tried to connect to the SMTP port at each address.

473930 connection attempts did not lead to a greeting message:

   294526 timed out
   92146 host unreachable
   56261 connection refused
   29252 network unreachable
   1265 protocol not available
   365 immediate disconnect
   110 machine not on network
   5 operation not supported

26070 servers produced a greeting message. Most of them responded to
HELP. I have a script to guess what SMTP software is running; here are
the results:

   20963 Sendmail
   628 not sure
   514 Mercury
   376 Smail 3.1
   375 Post.Office
   362 NT Mail
   266 TGV/MultiNet
   231 smap
   200 MS Exchange
   194 Netscape Mail Server
   187 MMDF
   183 UCX
   171 AIMS
   123 Unknown (The normal sequence of events in sending a message)
   110 IMS SMTP Receiver
   89 SLmail
   76 Zmailer
   75 Unknown (All set, fire away)
   72 VMS MX
   71 EMWAC SMTP Receiver
   69 PMDF
   66 Unknown (Simple Mail Transfer Service Ready)
   58 IMail
   57 Unknown (Help ... Not recognized)
   51 MetaInfo Sendmail
   51 Mail*Link
   48 GroupWise
   40 Lotus SMTP MTA
   34 Major BBS
   31 qmail
   29 PP
   28 NetManage SMTP Service
   27 IMA SMTP
   27 Connect2-SMTP
   21 IBM VM SMTP
   20 Raptor firewall (Generic SMTP Handler)
   19 AltaVista Mail
   18 Worldgroup SMTP server
   18 MailShare
   15 Wollongong SMTP
   15 TFS Gateway
   12 SMTP-OpenVMS
   12 Exim
   10 AltaVista Firewall (SMTPXD)
   9 MailSite SMTP Receiver
   7 ListSTAR
   4 NASTA Gate
   3 Pony Express
   3 MindWire-SMTP
   2 CommuniGate SMTPGate

Here are some comments and conclusions.

1. At least 2.1 million IP addresses were in use for hosts reachable
that night.

2. There are more than 660000 SMTP servers. Here multihomed hosts are
counted multiple times.

3. 80% of the reachable SMTP servers---more than half a million IP
addresses---were running sendmail. Apparently Eric Allman's ``millions
of places'' comment is only a mild exaggeration.

4. No SMTP package other than sendmail is running on more than 2% of the
reachable SMTP servers, about 13000 hosts. For comparison: Several
organizations have more than 50000 hosts each.

5. Beware that servers here are _not_ weighted by actual use. This
survey does _not_ prove that sendmail is currently carrying most of the
Internet's mail traffic, although I believe that it is.

6. There are more than half a million SMTP servers with remotely
exploitable security holes permitting complete host compromise. It is
safe to conclude that the Internet is disastrously insecure.

7. Almost all SMTP servers allow uncontrolled mail relaying. In less
than an hour, an attacker could instruct 2000 different machines to
deliver a 1000000-byte message to 40000 target hosts _each_. The
resulting mail tsunami could cripple large portions of the Internet.

---Dan