Security Incidents mailing list archives
Re: SMTP brute force attack?
From: Mike Lewinski <mike () ROCKYNET COM>
Date: Wed, 29 Nov 2000 11:26:25 -0700
I keep getting this in my logs. Is someone trying to find a valid username so they can crack my box? Or maybe this is a spammer trying to find a way to get my machine to relay their crap? Any advice is definitely welcome.
I would say that this is an attempt to harvest addresses from your MTA for spam purposes. In particular, the first string they send (F10981N9776 () victimhost com) is a pattern I recognize. They are probing for a "nobody" (default accept) alias by generating an intentionally bogus address. If your MTA responds "250 OK" then the attack ceases because it's not possible to discern what addresses are invalid. Attached is a report I filed this weekend, for comparison of source IP if you wish. Also note that there is an SMTP abuse listserv here: http://www.kopower.com/mailman/listinfo/smtpabuse Mike ----- Original Message ----- To: <security () uu net> Sent: Sunday, November 26, 2000 2:15 PM Subject: SMTP dictionary attack probes from *.det1.da.uu.net
It appears our MTA is being probed to determine whether an SMTP dictionary attack will succeed: 11:24 03:12 SMTPD(0078022A) [63.59.63.137 - 1Cust137.tnt2.det1.da.uu.net] RCPT To:<R3341R5328 () mail rockynet com> 11:24 23:10 SMTPD(035E00BC) [63.42.32.238 - 3Cust238.tnt51.det3.da.uu.net] RCPT To:<G12313P10672 () rockynet com> The above log timestamps are in the format Month:Day Hour:Min, the times are US/Mountain (-0600 GMT). We have seen many harvesting attacks that are preceeded by a RCPT TO string like the above. The purpose is to determine whether our server will acknowledge an invalid recipient. To deter this type of behavior our server is now configured to accept anything destined for our domain, which is the likely reason that the above user left us alone after receiving a 250 response code to their bogus addresses above.
Current thread:
- Re: SMTP brute force attack? Mike Lewinski (Dec 01)