Re: [Shutup] [ietf-smtp] Levels of proposals
Russ Allbery <eagle@eyrie.org> Fri, 04 December 2015 02:31 UTC
Return-Path: <eagle@eyrie.org>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id F08271B29F7;
Thu, 3 Dec 2015 18:31:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.21
X-Spam-Level:
X-Spam-Status: No, score=-1.21 tagged_above=-999 required=5
tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wpwNblknnlDM; Thu, 3 Dec 2015 18:31:57 -0800 (PST)
Received: from haven.eyrie.org (haven.eyrie.org [166.84.7.159])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 018021B29F6;
Thu, 3 Dec 2015 18:31:56 -0800 (PST)
Received: from lothlorien.eyrie.org (unknown [96.90.234.101])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by haven.eyrie.org (Postfix) with ESMTPS id 62FDD11821C;
Thu, 3 Dec 2015 18:31:55 -0800 (PST)
Received: by lothlorien.eyrie.org (Postfix, from userid 1000)
id A8A16B40739; Thu, 3 Dec 2015 18:31:53 -0800 (PST)
From: Russ Allbery <eagle@eyrie.org>
To: Ted Lemon <mellon@fugue.com>
In-Reply-To: <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com> (Ted Lemon's
message of "Fri, 04 Dec 2015 02:11:47 +0000")
Organization: The Eyrie
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com>
<5660F3A1.7060807@mustelids.ca>
<1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
Date: Thu, 03 Dec 2015 18:31:53 -0800
Message-ID: <87k2ov7xly.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/K6l78bW8KRGA_Q8UVnW2TV_y6zY>
X-Mailman-Approved-At: Fri, 04 Dec 2015 00:11:43 -0800
Cc: shutup@ietf.org, ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>,
<mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>,
<mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 02:31:59 -0000
Ted Lemon <mellon@fugue.com> writes: > Thursday, Dec 3, 2015 9:00 PM Chris Lewis wrote: >> If you have a list of IPs known to be infected with AUTH-cracking >> spambots, it's of immediate/valuable use to both the MSAs themselves in >> detecting malicious injects, as well as the recipient's filtering, and >> header forgery is not an issue (certainly not to MSAs, and headers that >> forge collisions with the list you don't want anyway). > Can you unpack "AUTH-cracking spambots" for the greenhorns? I have no > idea what this means, and google unfortunately was unable to help. Standard practice for attackers these days is to automate attacks on any sort of password-protected system, whether that be web pages, authentication providers, or anything else that takes a password. Usually this is done by taking some list of common passwords and some list of account names and just brute-forcing combinations, although some attackers do more sophisticated things. Obviously, that sort of brute force approach is easy to detect and throttle, so the next step in the arms race was for attackers to use large networks of compromised machines, usually home machines behind DSL and cable modem links, each of which tries a small number of passwords against a variety of targets to stay below the radar. Those machines were generally compromised via malware of some kind and are part of a botnet, without the knowledge of the user of the machine. This is used against SMTP AUTH just like it is against anything else on the Internet that takes a password. The usual goal is to send out spam using other people's valid credentials to bypass spam filtering, or to send phishing or stock pump and dump schemes, or what have you. One useful tool in fighting this sort of attack is to be able to collect and share information about currently compromised client IP addresses so that you can detect them as being part of a bot net and use much more aggressive rate limiting on these sorts of attempts, or block any email that they successfully sent after cracking someone's SMTP AUTH password. -- Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
- [Shutup] Levels of proposals Brandon Long
- Re: [Shutup] Levels of proposals Stephen Farrell
- Re: [Shutup] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Ted Lemon
- Re: [Shutup] [ietf-smtp] Levels of proposals Ted Lemon
- Re: [Shutup] [ietf-smtp] Levels of proposals Ted Lemon
- Re: [Shutup] [ietf-smtp] Levels of proposals Russ Allbery
- Re: [Shutup] [ietf-smtp] Levels of proposals Russ Allbery
- Re: [Shutup] [ietf-smtp] Levels of proposals Russ Allbery
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Ned Freed
- Re: [Shutup] [ietf-smtp] Levels of proposals Hector Santos
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals John Levine
- Re: [Shutup] [ietf-smtp] Levels of proposals Ned Freed
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Brandon Long