nanog mailing list archives
Re: Weird distributed spam attack
From: Kai Schlichting <kai () pac-rim net>
Date: Wed, 20 Nov 2002 13:19:53 -0500
On 11/20/2002 at 12:40 PM, <JOE () OREGON UOREGON EDU> wrote:
In addition to thousands of open relays, which are bad enough in their own right, there are also thousands of open proxy servers which a growing number of spammers have been using to launch spam runs lately. I suspect that's what you're seeing.
Almost all SMTP dictionary-crack attacks are done through open proxies, otherwise it's a "delivery attack" carrying actual spam. Some ISPs seem to have problems understanding the concept that log evidence showing 200 unknown users being probed is in-your-face evidence of illegal trespass and accessing another host/network without authorization. Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist Verifier Pro) pumps out, specifically uses "rotating proxies" to do its illegal work. Talk about a company not worth defending, even if it's against the DMCA. Dimitry should find himself a more ethical employer, even if Adobe was wrong on this to begin with.
If you aren't blocking traffic from open proxy servers via a dns blacklist, I predict that you will definitely see increasingly aggressive spam attacks coming in from diverse locations (although the more you look at the problem, the easier it becomes to identify the handful of carriers who are open proxy-tolerant).
If you don't use at least several DNSBL's, you are already DEAD from dictionary attacks, I'd say. I have personally observed an attack against a DS3-connected server from a single source IP, ratcheting through 2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to hide very well, they are trying to crack through your mail server at maximum speeds, with 10-25 probes per connection. There is a demonstration patch for Sendmail to slow down the SMTP dialogue (at the expense of keeping the process in memory too long, and long after the attacking host disconnects) at http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt Do not use this in production, unless you really know what you are doing and are tongue-in-cheek with Sendmail and its source: it has several deficiencies that are obvious to a good observer (and tester) and that may impede or render it useless to most. I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to optionally drop processing arguments for a given SMTP dialogue if the client host disconnects the TCP connection prematurely [while not in "pipeline" mode, but the latter was not part of the argument]. This is very much Sendmail-specific, so you may ignore this.
[I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.]
What we really want is a DNSBL that lists SMTP dictionary-crack attacks in real-time. The overlap of the mechanics required for running this with other DNSBL's are obvious: Unfortunately I could only spare some expertise, but not a whole lot of time or expenses to set something like that up (and merge it into an existing DNSBL such as Osirusoft's as far as day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed or not, but other significant reasons are holding up its release right now, in case you were going to ask. bye,Kai
Current thread:
- Weird distributed spam attack dru-nanog (Nov 19)
- Re: Weird distributed spam attack Mike Lewinski (Nov 20)
- Re: Weird distributed spam attack chuck goolsbee (Nov 20)
- RE: Weird distributed spam attack Jacob M Wilkens (Nov 20)
- Re: Weird distributed spam attack Bryan Bradsby (Nov 20)
- Re: Weird distributed spam attack sjj (Nov 22)
- Re: Weird distributed spam attack chuck goolsbee (Nov 20)
- <Possible follow-ups>
- Re: Weird distributed spam attack Joe St Sauver (Nov 20)
- Re: Weird distributed spam attack Margie Arbon (Nov 20)
- Re: Weird distributed spam attack Kai Schlichting (Nov 20)
- Re: Weird distributed spam attack Chip Rosenthal (Nov 22)
- Re: Weird distributed spam attack Mike Lewinski (Nov 20)