Re: SMTP brute force attack?

[Mike Lewinski <mike () ROCKYNET COM>]

> I keep getting this in my logs. Is someone trying to find a valid
> username so they can crack my box? Or maybe this is a spammer trying to
> find a way to get my machine to relay their crap? Any advice is
> definitely welcome.

I would say that this is an attempt to harvest addresses from your MTA for spam purposes. In particular, the first 
string they send
(F10981N9776 () victimhost com) is a pattern I recognize. They are probing for a "nobody" (default accept) alias by 
generating an
intentionally bogus address. If your MTA responds "250 OK" then the attack ceases because it's not possible to discern 
what
addresses are invalid.

Attached is a report I filed this weekend, for comparison of source IP if you wish. Also note that there is an SMTP 
abuse listserv
here:

http://www.kopower.com/mailman/listinfo/smtpabuse


Mike


----- Original Message -----
To: <security () uu net>
Sent: Sunday, November 26, 2000 2:15 PM
Subject: SMTP dictionary attack probes from *.det1.da.uu.net


> It appears our MTA is being probed to determine whether an SMTP
> dictionary attack will succeed:
>
> 11:24 03:12 SMTPD(0078022A) [63.59.63.137 -
> 1Cust137.tnt2.det1.da.uu.net] RCPT To:<R3341R5328 () mail rockynet com>
> 11:24 23:10 SMTPD(035E00BC) [63.42.32.238 -
> 3Cust238.tnt51.det3.da.uu.net] RCPT To:<G12313P10672 () rockynet com>
>
> The above log timestamps are in the format Month:Day Hour:Min, the times
> are US/Mountain (-0600 GMT).
>
> We have seen many harvesting attacks that are preceeded by a RCPT TO
> string like the above. The purpose is to determine whether our server
> will acknowledge an invalid recipient. To deter this type of behavior
> our server is now configured to accept anything destined for our domain,
> which is the likely reason that the above user left us alone after
> receiving a 250 response code to their bogus addresses above.