[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-04 10:32:11

On Dec 4, 2015, at 8:16 AM, Paul Smith <paul(_at_)pscs(_dot_)co(_dot_)uk> 

On 04/12/2015 15:59, Hector Santos wrote:
I have seen tons of "auth-cracking/brute force" auth attempts done at all 
the IP protocol servers. Generally, they do it all in one connection session 
where a "Maximum Failed Login Attempt" count may is used.  I always knew it 
was possible, but I suppose there are now increased distributed "botnet" 
forms of this where the Failed Login Attempt Count would be reset at the 
connection.  I have not seen the need to do much because I am not seeing 
damage. Everything (robust high scale servers) have been in place for many 
years, you know "Set it and forget it."
We used to see things connect and try lots of logins until they got blocked 
(they'd actually carry on for a bit after that because we don't tell them 
they've been blocked)

Now, we see lots of IP addresses connecting and making one or two login 
attempts then giving up. It's obviously a concerted 'attack' because lots of 
IP addresses do it at the same time, but each individual IP address doesn't 
try much. This does tend to defeat our software's blocking system, and it's a 
bit tricky to get around given that our software is on individual small 
business servers which might only see a few hundred auth attempts every few 
days, rather than huge mail providers which I guess see a lot more.

What I'm thinking of is having the option of the software reporting failed 
login IPs 'home' to a central server here, which other installations can 
query through a DNS lookup, but I'm still pondering whether that would help 
or hinder (the extra load of reporting & querying may override the load of 
dealing with the failed logins). If two or more of our software installations 
receive failed login attempts from the same IP address within a day or so of 
each other, the chances are it's a bot.

If it's a bot then 95%+ of the traffic it emits is malicious, so neither 
detecting it nor using the data are limited to solely email login attempts - 
meaning the effort can be shared and the benefits multiplied. It'd be 
interesting to compare those addresses against the XBL, as one example.


ietf-smtp mailing list