Re: Weird distributed spam attack

[Kai Schlichting <kai () pac-rim net>]

On 11/20/2002 at 12:40 PM, <JOE () OREGON UOREGON EDU> wrote:


> In addition to thousands of open relays, which are bad enough in
> their own right, there are also thousands of open proxy servers
> which a growing number of spammers have been using to launch spam 
> runs lately. I suspect that's what you're seeing. 

Almost all SMTP dictionary-crack attacks are done through open proxies,
otherwise it's a "delivery attack" carrying actual spam. Some ISPs
seem to have problems understanding the concept that log evidence
showing 200 unknown users being probed is in-your-face evidence of
illegal trespass and accessing another host/network without authorization.

Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist
Verifier Pro) pumps out, specifically uses "rotating proxies" to
do its illegal work. Talk about a company not worth defending, even if
it's against the DMCA. Dimitry should find himself a more ethical
employer, even if Adobe was wrong on this to begin with.

> If you aren't blocking traffic from open proxy servers via a dns 
> blacklist, I predict that you will definitely see increasingly 
> aggressive spam attacks coming in from diverse locations (although 
> the more you look at the problem, the easier it becomes to identify 
> the handful of carriers who are open proxy-tolerant).

If you don't use at least several DNSBL's, you are already DEAD from
dictionary attacks, I'd say. I have personally observed an attack against
a DS3-connected server from a single source IP, ratcheting through
2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to
hide very well, they are trying to crack through your mail server at
maximum speeds, with 10-25 probes per connection.

There is a demonstration patch for Sendmail to slow down the SMTP dialogue
(at the expense of keeping the process in memory too long, and long after
the attacking host disconnects) at
http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt
Do not use this in production, unless you really know what you are
doing and are tongue-in-cheek with Sendmail and its source: it has
several deficiencies that are obvious to a good observer (and tester)
and that may impede or render it useless to most.
I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to
optionally drop processing arguments for a given SMTP dialogue if
the client host disconnects the TCP connection prematurely [while not
in "pipeline" mode, but the latter was not part of the argument].
This is very much Sendmail-specific, so you may ignore this.

> [I will also say that it would really be great if mail-abuse.org would
> add an open proxy listing project to complement their RSS, DUL, and
> other initiatives.]

What we really want is a DNSBL that lists SMTP dictionary-crack attacks
in real-time. The overlap of the mechanics required for running this with
other DNSBL's are obvious: Unfortunately I could only spare some expertise,
but not a whole lot of time or expenses to set something like that up
(and merge it into an existing DNSBL such as Osirusoft's as far as
day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully
defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed
or not, but other significant reasons are holding up its release right now,
in case you were going to ask.

bye,Kai