Path: koobera.math.uic.edu!djb From: djb@koobera.math.uic.edu (D. J. Bernstein) Message-ID: <1996Nov2908.51.00.17895@koobera.math.uic.edu> Date: 29 Nov 1996 08:51:00 GMT Newsgroups: comp.security.unix,comp.mail.misc,comp.mail.sendmail Subject: Internet host SMTP server survey Organization: IR I have a list of 12795635 IP addresses. To build this list, I combined (1) the IP addresses found in the July 1996 Network Wizards DNS walk, (2) the glue IP addresses listed in the InterNIC zone files, and (3) the results of MX/A lookups for domains listed in the InterNIC zone files. I removed duplicates and excluded {0,1,10,127}.*. In the early morning of 27 November 1996, I selected a random sample of 500000 addresses and tried to connect to the SMTP port at each address. 473930 connection attempts did not lead to a greeting message: 294526 timed out 92146 host unreachable 56261 connection refused 29252 network unreachable 1265 protocol not available 365 immediate disconnect 110 machine not on network 5 operation not supported 26070 servers produced a greeting message. Most of them responded to HELP. I have a script to guess what SMTP software is running; here are the results: 20963 Sendmail 628 not sure 514 Mercury 376 Smail 3.1 375 Post.Office 362 NT Mail 266 TGV/MultiNet 231 smap 200 MS Exchange 194 Netscape Mail Server 187 MMDF 183 UCX 171 AIMS 123 Unknown (The normal sequence of events in sending a message) 110 IMS SMTP Receiver 89 SLmail 76 Zmailer 75 Unknown (All set, fire away) 72 VMS MX 71 EMWAC SMTP Receiver 69 PMDF 66 Unknown (Simple Mail Transfer Service Ready) 58 IMail 57 Unknown (Help ... Not recognized) 51 MetaInfo Sendmail 51 Mail*Link 48 GroupWise 40 Lotus SMTP MTA 34 Major BBS 31 qmail 29 PP 28 NetManage SMTP Service 27 IMA SMTP 27 Connect2-SMTP 21 IBM VM SMTP 20 Raptor firewall (Generic SMTP Handler) 19 AltaVista Mail 18 Worldgroup SMTP server 18 MailShare 15 Wollongong SMTP 15 TFS Gateway 12 SMTP-OpenVMS 12 Exim 10 AltaVista Firewall (SMTPXD) 9 MailSite SMTP Receiver 7 ListSTAR 4 NASTA Gate 3 Pony Express 3 MindWire-SMTP 2 CommuniGate SMTPGate Here are some comments and conclusions. 1. At least 2.1 million IP addresses were in use for hosts reachable that night. 2. There are more than 660000 SMTP servers. Here multihomed hosts are counted multiple times. 3. 80% of the reachable SMTP servers---more than half a million IP addresses---were running sendmail. Apparently Eric Allman's ``millions of places'' comment is only a mild exaggeration. 4. No SMTP package other than sendmail is running on more than 2% of the reachable SMTP servers, about 13000 hosts. For comparison: Several organizations have more than 50000 hosts each. 5. Beware that servers here are _not_ weighted by actual use. This survey does _not_ prove that sendmail is currently carrying most of the Internet's mail traffic, although I believe that it is. 6. There are more than half a million SMTP servers with remotely exploitable security holes permitting complete host compromise. It is safe to conclude that the Internet is disastrously insecure. 7. Almost all SMTP servers allow uncontrolled mail relaying. In less than an hour, an attacker could instruct 2000 different machines to deliver a 1000000-byte message to 40000 target hosts _each_. The resulting mail tsunami could cripple large portions of the Internet. ---Dan