25,000-Ton Amphibious Spam Relay

hormiga writes "The amphibious transport dock ship San Antonio incorporates the latest quality of life standards for the embarked Marines and sailors, including the sit-up berth, ship services mall, a fitness center and learning resource center/electronic classroom and Unsolicited Bulk E-Mail. Now the Chinese can relay their spam through U.S. military naval vessels." Well, Chinese spammers, anyhow.

Text of the Article

[iamweezman]

The ship supports the Marine Corps "mobility triad," the LCAC
(Landing Craft Air Cushion vehicle), the "Triple A-V" (AAAV -
Advanced Amphibious Assault Vehicle) and the MV-22 (Osprey
tiltrotor aircraft),

and (apparently) spammers in Guandong. Rd China.

Furthermore, San Antonio incorporates the latest quality of life
standards for the embarked Marines and sailors, including the sit-up
berth, ship services mall, a fitness center and learning resource
center/electronic classroom

and Unsolicited Bulk E-Mail.

Of course, it's possible that one of the OTHER eleven ships, still under
construction, is the Avondale, LA dot-MIL spam relay, or trojaned boat,
or some nice-and-secure Windows box in the construction drydocks, running
Microsoft Exchange Internet Mail Service Version 5.5.2653.13

But doesn't it make all Americans feel all fuzzy and secure that a
Red Chinese spammer can abuse a US Naval Vessel of one of the newest
designs, to relay his "business proposition"?

Perhaps it's tied to the USS Green Bay, instead? or USS New Orleans?
http://www.navsea.navy.mil/newswire_content.asp?tx tDataID=8963&txtTypeID=2

The USS Mesa Verde, seems to be in Mississippi, instead
http://www.navsea.navy.mil/newswire_content.asp?tx tDataID=8663&txtTypeID=2

But the E-Mail headers finger the USS San Antonio, LPD 17, already
christened, and due for commissioning some time this coming year.

LPD 17 Looks Like a "Gator"

http://www.navsea.navy.mil/newswire_content.asp?tx tDataID=8596&txtTypeID=2

but from here, it just looks like another spammer.

[SPECIMEN]
H: Return-Path:
H: Received: from avnavfw.lpd17.navsea.navy.mil
H: (avnavfw.pms317.navy.mil [05.67.231.235])
H: by mail.gtcs.com (8.12.10/8.11.3/gtcs-6.3.8) with SMTP
H: id hBG65HO8091853
H: for ; Mon, 15 Dec 2003 23:06:39 -0700 (MST)
H: (envelope-from: )
H: X-Authentication-Warning: serv.gtcs.com: Host
H: avnavfw.pms317.navy.mil [205.67.231.235]
H: claimed to be avnavfw.lpd17.navsea.navy.mil
H: Received: from no.name.available by anavfw.lpd17.navsea.navy.mil
H: via smtpd (for [209.181.16.1]) with SMTP; 16 Dec 2003 05:53:08 UT
H: Received: from avnavfw.AVONDALE (205.67.231.5 [205.67.231.5]) by
H: swn-email.lpd17.navy.mil with SMTP (Microsoft Exchange Internet Mail
H: Service Version 5.5.2653.13)
H: id YY2BDP4P; Tue, 16 Dec 2003 00:07:28 -0600
H: From: "HuatonE-ScooterCo.,Ltd"
H: Received: from [61.145.234.62] by avnavfw.AVONDALE
H: via smtpd (for [205.66.99.30]) with SMTP; 16 Dec 2003 05:51:47 UT
H: Subject: Re.About our new product
H: Content-Type: text/html
H: Date: Tue, 16 Dec 2003 13:57:41 +0800
H: X-Priority: 3

[extract from HTML body]
B: Our company specializes in exporting electric & gas scooters, which
B: are most popular with our customers at home and abroad. Now we are
B: writing to offer you an opportunity to develop a mutual trade. If
B: you are interested in establishing business relations with us, please
B: let us know your requirements. Then we would like to forward catalogues
B: as well as detailed information to you, and offer the best price to
B: you. We assure you of our best attention to your any inquiries.
B: We anticipate your early response in respect.

B: Huaton E-scooter Co., Ltd.
B: Room.B-202,Building Si-Hai-Ming-Yuan
B: Burg Weiji,Zone Gongbei
B: City Zhuhai 519020
B: Province Kwangtung,China
B: Tel:86-756-821-6922
B: Fax:86-756-888-3037 ...

Spam support by:
The US Navy, Avondale Lousiana Shipyard, Frewall, a

San Antonio has NOT been compromised

[MyNameIsFred]

I hate to destroy part of a good story. But San Antonio is NOT, repeat NOT the spam relay. LANs on ships are NOT connected to the Internet. The military has its own non-public networks for ships. Furthermore, San Antonio has NOT been delivered to the Navy. It is still under construction. That's the good news. The bad news, is that a Navy site has been compromised. The headers give us some clues. avnavfw.pms317.navy.mil is a Navy address. PMS317 is the Navy program office responsible for building the San Antonio class of ships. Avondale Shipyard is where the ships are built.

Re:San Antonio has NOT been compromised

[jmkaza]

LANs on ships are NOT connected to the Internet

I spent a year on ship, and sent/received email, surfed the web, and filed my maintainance reports and supply requests from the same pc. There was limits on what we could do, but we were definitely connected to the net.

Re:San Antonio has NOT been compromised

[beefneck9]

Most commands/ships keep a strict separation between personal and official use computers. This includes using completely separate LAN's onboard for each purpose. Surfing eBay or watching Paris get freaky while reading the Steam Plant Manual just won't happen. unclass stuff, sure, go ahead. But if you were doing anything mixing personal stuff on a classified station, you must be talking to us from USP Leavenworth's library.

Re:slashdotters in the military?

[prgrmr]

in other words, it's a closed relay and this whole story is a non-story.

It was closed when I hit it. Can't say how long it had been in that state, hence my speculative subject line.

Re:slashdotters in the military?

[cscx]

Maybe it's an SMTP proxy.

It seems like YOU can't figure out what you're talking about.

Re:Amphi?

[Phaid]

LPD-17 class ships (Landing Platform, Dock) are not themselves amphibious, but transport amphibious craft such as LCACs (Landing Craft, Air Cushion) and other vehicles used in amphibious operations.

For more information on these ships, see .

Re:As soon as..

[d-rock]

I have a feeling that the important systems on the ship are completely isolated from anything with Internet access. I knew a guy who installed servers at military bases and each person would have two computers at their desk, one connected to the Internet (through a firewall and some other stuff), and one on the sensitive side. Also something like the screen on the sensitive side had wallpaper like "Danger!Danger!Danger!Danger!", etc.

Derek

Re:slashdotters in the military?

[DJ+Rubbie]

Error 421 is an error code returned by a mail server (or an SMTP proxy, if some of you are *that* picky) that means service unavailable.

Re:slashdotters in the military?

[jdreed1024]

It seems like they can't figure out the difference between a mail server and a firewall. If you can connect to the port it is not firewalled off, rather the mail server prevents you from using it.

Um, no. It is possible for a firewall to exist such that if you connect to it on port 25, and you're authorized to talk to that site's mail server, it passes your packets through the firewall and on to the mail server. If you are not authorized, it either drops your packets on the floor, or respond with a message such as this one. 421 is the RFC822 code for "service not available". Just because a machine answers on 25 does not mean it's a "mail server" (tm). What it's saying is "I am not going to provide mail service to you because I don't know your IP address." 'Mail service" simply means "access to some sort of MTA". It does not imply that the machine is in fact a mail server masquerading as a firewall. There are such things a proxy firewalls, and that's clearly what this is.

OK that was a typo. I meant IIS (nt)

[muyuubyou]

(nt) stands for "no text"

Re:slashdotters in the military?

[Medieval]

That's a message from Symantec Enterprise Firewall (Raptor Firewall.)

Its an SMTP proxy; if you try to connect to the firewall or an SMTP server on the far side of it on port 25 (or other configured ports) and there's no rule allowing it, you get this message.

Re:which military vessels aren't naval?

[Avihson]

All the Army Watercraft are not navy!
The Army Transportation Corps (wo)man the tugboats. They handle the ship to shore transport of equipment and supplies.

Not sure of the numbers now, but back in the 80s, the US Army has more watercraft than the Navy, more aircraft than the Airforce, and more grunts than the Marines.

Check FAS.org for more info on the "Army's navy"
Another good place for information on the Transportation corps is Ft Eustis

Re:Had to take a second look

[tupshin]

No...quoting from their site:
"The Navy Office of Information is headed by the Chief of Information (CHINFO), a Rear Admiral, who is the direct representative of the Secretary of the Navy and the Chief of Naval Operations for Navy-wide public affairs matters."

Re:Amphi?

[craw]

Actually with a few exceptions, the bulk of the "blue water" US scientific ships (e.g., AGOR class) are owned by the US Navy and are on loan to various academic institutions. These ships are distinctly different than their military counterparts as their hulls are painted white instead of gray.

You forget ...

[1000baseFX]

The one important point of Spamming, many (majority) are spoofed, as in entire headers.
We get 20k to 30k per day where I work, that's pieces of spam not bytes.

Of that I successfully filter 75%, only because when I had it down to 99% success rate people bitched that they were not getting enough mail. Go figure!
I have personally analyzed well over half a million spam messages over the last 8 months and have found less than 5% that were not spoofed.

Re:Your tax dollars hard at work

[$ASANY]

You've got to understand the situation. The Navy-Marine Corps Internet project and BTBest (at least for the MSC) TCP/IP commo suite got thrown at these ships without a lot of regard to the technical resources required to manage the whole ball of wax. Each of these ships has a rack of MS Windows boxes managing LAN, commo, logistics and everything else, and they have some Chief managing the equipment who is decidedly not a network engineer. On top of that he's got to play DBA for Sybase and Oracle databases, manage numerous applications, and deal with backup and disaster management. It's too much to realistically ask a guy who's background is a lot more "sailor" than "LAN/Database/application server adminstrator. At least not while we're paying senior enlisted guys what we are.

These technicial-draftees are extraordinarily busy. They're asked to manage really complex systems that are not terribly reliable. MS Exchange and Win2k require good people to keep them going, but throw database replication systems and the rest of their suite on top, and they spend more of their time crying for help to shoreside contractors than getting things fixed. That their MS Exchange server got penetrated is hardly a surprise given the number of fires these guys are regularly trying to keep under control.

If they can get professional DBA's and Network Engineers on each ship and this happens, then I'd raise hell. But there aren't a whole lot of MSCEs and DBAs that want to go on 9 month sea deployments of 16-hour days with the starting salary of an E-3, which I guess is about $800/month. In the meantime, scream at Lockheed Martin, the contractor for the Navy-Marine Corps Internet (NMCI) project, which has hosed up more than they have fixed. NMCI dictates identical configurations across all systems, which makes it really likely that the vulnerability we see here exists virtually everywhere in the Navy. Lockheed designed it this way, and got paid an enormous pile of cash to do so.

Maybe they owe us a refund?

Re:Your tax dollars hard at work

[rabbits77]

Do you really think anybody gets paid $800 a month in the military? Maybe if they had incurred multiple severe fines for screwing up royally. I don't know what it is nowadays but when I was an E-1 about 10 years ago the pay was *struggles to remember* more like $1400 a month for the lowiest of the low E-1 nobody.

Re:Saw it Coming, but no one listened

[jotok]

I wonder, I bet I could make buku dinero doing as a DoD IT/IS security consultant. Security is a economically inelastic product... entities will pay $$$$$$$$ for real security, not airport TSA-brand of security.

DOD Cert