[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-04 13:31:14
On 12/04/2015 10:59 AM, Hector Santos wrote:
> On 12/4/2015 8:10 AM, Chris Lewis wrote:

>> AUTH-cracking to this extent is a relatively recent phenomena, and is
>> clearly being used as an attempt to bypass normal direct-2-MX botnet
>> blocking and hijack the reputation of the MTA instead of some random
>> cracked PC.

> Hi, I'm surprise to read you say this is "relatively recent."  Are you
> mean in months, years or one to several decades?

I should say that "back in the day", SMTP-auth from BOTs was
sufficiently rare that it could safely be ignored.

SMTP-auth from bot started in a noticable fashion about 2-3 years ago
and continuing to rise to extreme levels in the past 6-12 months.  To
some MSAs, the impacts were obvious before that.

FWIW, our customers are seeing this as well. It used to be that AUTH-cracking
on SUBMIT was a nonissue, now it's something you can't safely ignore.

I even see it on my home system. It kinds of amazes me that my little box is
seen as a target worth spending time banging on, but my logs show ~12,000
password guessing attempts in the last 12 hours. (It's all coming from Hong
Kong, the IPs doing it are in the SBL, and it seems to be driven on a generic
list of likely account names, not anything more targeted.)

To me, this is "relatively recent".  Sorry, should have clarified.

As a MUCH more recent development, remember "open relay"?  That was
obsolete 10 years ago, and except for a couple of low volume Chinese
spammers, not seen at all.  Well, guess what?  One extremely prolific
spambot started doing it in very high volumes less than a month ago.
That's right, spambots attempting to open relay through MTAs.  Shipping
almost exclusively malware at that.

We're also getting reports of activities that look like attempts to trick
MTAs into relay through the use of oddball address formats, some legal,
some not. Not sure if this is what you're seeing or not.


ietf-smtp mailing list