On 12/03/2015 09:11 PM, Ted Lemon wrote:
Can you unpack "AUTH-cracking spambots" for the greenhorns? I have no idea
what this means, and google unfortunately was unable to help.
Primarily botnets that connect to MSAs and use stolen (or potentially
brute-forced) userid/password credentials in order to use the MSA/MTA
combo as an open relay.
There's at least one major windows executable botnet that does this in
very high volumes. This is a particularly long-standing botnet that has
many other nasty tricks at its disposal (DDOS, keystroke harvesting,
account stealing etc).
There are several web server compromises that do the same thing,
potentially using the same sources for compromised userid/passwords,
tho, these aren't nearly the volume as the aforementioned botnet.
It's really quite surprising how successful that some spam campaigns are
in doing this, and I can only imagine that at least part of it is the
botnet dredging out an infected user's MSA/userid/password triple from
their mail reader and propagating it to the rest of the botnet (along
with harvesting address books), and hence have enormous numbers of
compromised accounts to exploit. They may also be using more generic
userid/password dumps from online site leaks.
We've seen ISPs subject to massive attacks where hundreds or thousands
(or more) of different IPs do authenticated MSA submissions of 10s or
100s of thousands of spams in fairly short (hours) intervals, resulting
in traffic flows 100s of times above normal to the point of overloading
the ISP's MSAs. This is even with quite aggressive per-user and per-IP
AUTH-cracking to this extent is a relatively recent phenomena, and is
clearly being used as an attempt to bypass normal direct-2-MX botnet
blocking and hijack the reputation of the MTA instead of some random
ietf-smtp mailing list