North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Weird distributed spam attack
On 11/20/2002 at 12:40 PM, <[email protected]> wrote: > In addition to thousands of open relays, which are bad enough in > their own right, there are also thousands of open proxy servers > which a growing number of spammers have been using to launch spam > runs lately. I suspect that's what you're seeing. Almost all SMTP dictionary-crack attacks are done through open proxies, otherwise it's a "delivery attack" carrying actual spam. Some ISPs seem to have problems understanding the concept that log evidence showing 200 unknown users being probed is in-your-face evidence of illegal trespass and accessing another host/network without authorization. Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist Verifier Pro) pumps out, specifically uses "rotating proxies" to do its illegal work. Talk about a company not worth defending, even if it's against the DMCA. Dimitry should find himself a more ethical employer, even if Adobe was wrong on this to begin with. > If you aren't blocking traffic from open proxy servers via a dns > blacklist, I predict that you will definitely see increasingly > aggressive spam attacks coming in from diverse locations (although > the more you look at the problem, the easier it becomes to identify > the handful of carriers who are open proxy-tolerant). If you don't use at least several DNSBL's, you are already DEAD from dictionary attacks, I'd say. I have personally observed an attack against a DS3-connected server from a single source IP, ratcheting through 2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to hide very well, they are trying to crack through your mail server at maximum speeds, with 10-25 probes per connection. There is a demonstration patch for Sendmail to slow down the SMTP dialogue (at the expense of keeping the process in memory too long, and long after the attacking host disconnects) at http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt Do not use this in production, unless you really know what you are doing and are tongue-in-cheek with Sendmail and its source: it has several deficiencies that are obvious to a good observer (and tester) and that may impede or render it useless to most. I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to optionally drop processing arguments for a given SMTP dialogue if the client host disconnects the TCP connection prematurely [while not in "pipeline" mode, but the latter was not part of the argument]. This is very much Sendmail-specific, so you may ignore this. > [I will also say that it would really be great if mail-abuse.org would > add an open proxy listing project to complement their RSS, DUL, and > other initiatives.] What we really want is a DNSBL that lists SMTP dictionary-crack attacks in real-time. The overlap of the mechanics required for running this with other DNSBL's are obvious: Unfortunately I could only spare some expertise, but not a whole lot of time or expenses to set something like that up (and merge it into an existing DNSBL such as Osirusoft's as far as day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed or not, but other significant reasons are holding up its release right now, in case you were going to ask. bye,Kai
|