[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-04 07:11:06
On 12/03/2015 09:11 PM, Ted Lemon wrote:

Can you unpack "AUTH-cracking spambots" for the greenhorns?   I have no idea 
what this means, and google unfortunately was unable to help.

Primarily botnets that connect to MSAs and use stolen (or potentially brute-forced) userid/password credentials in order to use the MSA/MTA combo as an open relay.

There's at least one major windows executable botnet that does this in very high volumes. This is a particularly long-standing botnet that has many other nasty tricks at its disposal (DDOS, keystroke harvesting, account stealing etc).

There are several web server compromises that do the same thing, potentially using the same sources for compromised userid/passwords, tho, these aren't nearly the volume as the aforementioned botnet.

It's really quite surprising how successful that some spam campaigns are in doing this, and I can only imagine that at least part of it is the botnet dredging out an infected user's MSA/userid/password triple from their mail reader and propagating it to the rest of the botnet (along with harvesting address books), and hence have enormous numbers of compromised accounts to exploit. They may also be using more generic userid/password dumps from online site leaks.

We've seen ISPs subject to massive attacks where hundreds or thousands (or more) of different IPs do authenticated MSA submissions of 10s or 100s of thousands of spams in fairly short (hours) intervals, resulting in traffic flows 100s of times above normal to the point of overloading the ISP's MSAs. This is even with quite aggressive per-user and per-IP rate limiting.

AUTH-cracking to this extent is a relatively recent phenomena, and is clearly being used as an attempt to bypass normal direct-2-MX botnet blocking and hijack the reputation of the MTA instead of some random cracked PC.

ietf-smtp mailing list