[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-03 20:32:03
Ted Lemon <mellon(_at_)fugue(_dot_)com> writes:
Thursday, Dec 3, 2015 9:00 PM Chris Lewis wrote:

If you have a list of IPs known to be infected with AUTH-cracking
spambots, it's of immediate/valuable use to both the MSAs themselves in
detecting malicious injects, as well as the recipient's filtering, and
header forgery is not an issue (certainly not to MSAs, and headers that
forge collisions with the list you don't want anyway).

Can you unpack "AUTH-cracking spambots" for the greenhorns?  I have no
idea what this means, and google unfortunately was unable to help.

Standard practice for attackers these days is to automate attacks on any
sort of password-protected system, whether that be web pages,
authentication providers, or anything else that takes a password.  Usually
this is done by taking some list of common passwords and some list of
account names and just brute-forcing combinations, although some attackers
do more sophisticated things.

Obviously, that sort of brute force approach is easy to detect and
throttle, so the next step in the arms race was for attackers to use large
networks of compromised machines, usually home machines behind DSL and
cable modem links, each of which tries a small number of passwords against
a variety of targets to stay below the radar.  Those machines were
generally compromised via malware of some kind and are part of a botnet,
without the knowledge of the user of the machine.

This is used against SMTP AUTH just like it is against anything else on
the Internet that takes a password.  The usual goal is to send out spam
using other people's valid credentials to bypass spam filtering, or to
send phishing or stock pump and dump schemes, or what have you.

One useful tool in fighting this sort of attack is to be able to collect
and share information about currently compromised client IP addresses so
that you can detect them as being part of a bot net and use much more
aggressive rate limiting on these sorts of attempts, or block any email
that they successfully sent after cracking someone's SMTP AUTH password.

Russ Allbery (eagle(_at_)eyrie(_dot_)org)              

ietf-smtp mailing list