nanog mailing list archives

Re: Transparent hijacking of SMTP submission...

From: Mark Andrews <marka () isc org>
Date: Fri, 28 Nov 2014 11:38:24 +1100


In message <CAArzuouvhnHo7BbAWUwiR3=m0x2O6Qe=2qLcvb29i07OaX-yqg () mail gmail com>
, Suresh Ramasubramanian writes:


Yes. Till that hotspots IP space gets blackholed by a major freemail
because of all the nigerians and hijacked devices emitting bot traffic
through stolen auth credentials.


Why would it black hole the address rather than the block the
compromised credentials?  The whole point of submission is to
authenticate the submitter and to be able to trace spam back to the
submitter and deal with the issue at that level of granuality.

Blocking at that level also stop the credentials being used from
anywhere.

scalpel vs chainsaw.

Just because you provide free email doesn't give you the right to
not do the service properly.  You encouraged people to use your
service.  You should resource it to deal with the resulting load
and that includes dealing with spam and scans being sent with stolen
credentials.  As a free email provider you have the plain text.

Mark

There's other ways to stop this but they take actual hard work and rather
more gear than a rusted up old asa you pull out of your closet as like as
not.
 On Nov 28, 2014 2:10 AM, "Mark Andrews" <marka () isc org> wrote:


Which is why your MTA should always be setup to require the use of
STARTTLS.  Additionally the CERT presented should also match the
name of the server.

There is absolutely no reason for a ISP / hotspot to inspect
submission traffic.  The "stopping spam" argument doesn't wash with
submission.

Mark

In message <54778167.7080808 () bogus com>, joel jaeggli writes:


I don't see this in my home market, but I do see it in someone else's...
I kind of expect this for port 25 but...

J@mb-aye:~$telnet 147.28.0.81 587
Trying 147.28.0.81...
Connected to nagasaki.bogus.com.
Escape character is '^]'.
220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
19:17:44 GMT
ehlo bogus.com
250-nagasaki.bogus.com Hello XXXXXXXXXXXXXXX.wa.comcast.net
[XXX.XXX.XXX.XXX], pleased to meet you
250 ENHANCEDSTATUSCODES

J@mb-aye:~$telnet 2001:418:1::81 587
Trying 2001:418:1::81...
Connected to nagasaki.bogus.com.
Escape character is '^]'.
220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
19:18:33 GMT
ehlo bogus.com
250-nagasaki.bogus.com Hello
[IPv6:2601:7:2380:XXXX:XXXX:XXXX:c1ae:7d73], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP

that's essentially a downgrade attack on my ability to use encryption
which seems to be in pretty poor taste frankly.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org


--bcaec517c6c01f783d0508e015a5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">Yes. Till that hotspots IP space gets blackholed by a major =
freemail because of all the nigerians and hijacked devices emitting bot tra=
ffic through stolen auth credentials. </p>
<p dir=3D"ltr">There&#39;s other ways to stop this but they take actual har=
d work and rather more gear than a rusted up old asa you pull out of your c=
loset as like as not. <br>
</p>
<div class=3D"gmail_quote">On Nov 28, 2014 2:10 AM, &quot;Mark Andrews&quot=
; &lt;<a href=3D"mailto:marka () isc org">marka () isc org</a>&gt; wrote:<br type=
=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Which is why your MTA should always be setup to require the use of<br>
STARTTLS.=C2=A0 Additionally the CERT presented should also match the<br>
name of the server.<br>
<br>
There is absolutely no reason for a ISP / hotspot to inspect<br>
submission traffic.=C2=A0 The &quot;stopping spam&quot; argument doesn&#39;=
t wash with<br>
submission.<br>
<br>
Mark<br>
<br>
In message &lt;<a href=3D"mailto:54778167.7080808 () bogus com">54778167.70808=
08 () bogus com</a>&gt;, joel jaeggli writes:<br>
&gt;<br>
&gt; I don&#39;t see this in my home market, but I do see it in someone els=
e&#39;s...<br>
&gt; I kind of expect this for port 25 but...<br>
&gt;<br>
&gt; J@mb-aye:~$telnet 147.28.0.81 587<br>
&gt; Trying 147.28.0.81...<br>
&gt; Connected to <a href=3D"http://nagasaki.bogus.com"; target=3D"_blank">n=
agasaki.bogus.com</a>.<br>
&gt; Escape character is &#39;^]&#39;.<br>
&gt; 220 <a href=3D"http://nagasaki.bogus.com"; target=3D"_blank">nagasaki.b=
ogus.com</a> ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014<br>
&gt; 19:17:44 GMT<br>
&gt; ehlo <a href=3D"http://bogus.com"; target=3D"_blank">bogus.com</a><br>
&gt; <a href=3D"http://250-nagasaki.bogus.com"; target=3D"_blank">250-nagasa=
ki.bogus.com</a> Hello <a href=3D"http://XXXXXXXXXXXXXXX.wa.comcast.net"; ta=
rget=3D"_blank">XXXXXXXXXXXXXXX.wa.comcast.net</a><br>
&gt; [XXX.XXX.XXX.XXX], pleased to meet you<br>
&gt; 250 ENHANCEDSTATUSCODES<br>
&gt;<br>
&gt; J@mb-aye:~$telnet 2001:418:1::81 587<br>
&gt; Trying 2001:418:1::81...<br>
&gt; Connected to <a href=3D"http://nagasaki.bogus.com"; target=3D"_blank">n=
agasaki.bogus.com</a>.<br>
&gt; Escape character is &#39;^]&#39;.<br>
&gt; 220 <a href=3D"http://nagasaki.bogus.com"; target=3D"_blank">nagasaki.b=
ogus.com</a> ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014<br>
&gt; 19:18:33 GMT<br>
&gt; ehlo <a href=3D"http://bogus.com"; target=3D"_blank">bogus.com</a><br>
&gt; <a href=3D"http://250-nagasaki.bogus.com"; target=3D"_blank">250-nagasa=
ki.bogus.com</a> Hello<br>
&gt; [IPv6:2601:7:2380:XXXX:XXXX:XXXX:c1ae:7d73], pleased to meet you<br>
&gt; 250-ENHANCEDSTATUSCODES<br>
&gt; 250-PIPELINING<br>
&gt; 250-8BITMIME<br>
&gt; 250-SIZE<br>
&gt; 250-DSN<br>
&gt; 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN<br>
&gt; 250-STARTTLS<br>
&gt; 250-DELIVERBY<br>
&gt; 250 HELP<br>
&gt;<br>
&gt; that&#39;s essentially a downgrade attack on my ability to use encrypt=
ion<br>
&gt; which seems to be in pretty poor taste frankly.<br>
--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0INTERNET: <a href=3D"mailto:marka () isc org">marka () isc org</a><br>
</blockquote></div>

--bcaec517c6c01f783d0508e015a5--

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Transparent hijacking of SMTP submission... joel jaeggli (Nov 27)
- Re: Transparent hijacking of SMTP submission... Mark Andrews (Nov 27)
  - Re: Transparent hijacking of SMTP submission... Suresh Ramasubramanian (Nov 27)
    - Re: Transparent hijacking of SMTP submission... Mark Andrews (Nov 27)
    - Re: Transparent hijacking of SMTP submission... Suresh Ramasubramanian (Nov 27)
- Re: Transparent hijacking of SMTP submission... William Herrin (Nov 27)
  - Re: Transparent hijacking of SMTP submission... Suresh Ramasubramanian (Nov 27)
  - Re: Transparent hijacking of SMTP submission... Jay Ashworth (Nov 27)
    - Re: Transparent hijacking of SMTP submission... William Herrin (Nov 29)
  - Re: Transparent hijacking of SMTP submission... Jay Ashworth (Nov 27)
- Re: Transparent hijacking of SMTP submission... Randy Bush (Nov 29)
  - Re: Transparent hijacking of SMTP submission... Sander Steffann (Nov 29)
    - Re: Transparent hijacking of SMTP submission... Jean-Francois Mezei (Nov 29)
    - Re: Transparent hijacking of SMTP submission... Christopher Morrow (Nov 29)

(Thread continues...)