Re: [Shutup] [ietf-smtp] Levels of proposals

Russ Allbery <eagle@eyrie.org> Fri, 04 December 2015 02:31 UTC

Return-Path: <eagle@eyrie.org>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F08271B29F7; Thu, 3 Dec 2015 18:31:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.21
X-Spam-Level:
X-Spam-Status: No, score=-1.21 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpwNblknnlDM; Thu, 3 Dec 2015 18:31:57 -0800 (PST)
Received: from haven.eyrie.org (haven.eyrie.org [166.84.7.159]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 018021B29F6; Thu, 3 Dec 2015 18:31:56 -0800 (PST)
Received: from lothlorien.eyrie.org (unknown [96.90.234.101]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by haven.eyrie.org (Postfix) with ESMTPS id 62FDD11821C; Thu, 3 Dec 2015 18:31:55 -0800 (PST)
Received: by lothlorien.eyrie.org (Postfix, from userid 1000) id A8A16B40739; Thu, 3 Dec 2015 18:31:53 -0800 (PST)
From: Russ Allbery <eagle@eyrie.org>
To: Ted Lemon <mellon@fugue.com>
In-Reply-To: <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com> (Ted Lemon's message of "Fri, 04 Dec 2015 02:11:47 +0000")
Organization: The Eyrie
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com> <5660F3A1.7060807@mustelids.ca> <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
Date: Thu, 03 Dec 2015 18:31:53 -0800
Message-ID: <87k2ov7xly.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/K6l78bW8KRGA_Q8UVnW2TV_y6zY>
X-Mailman-Approved-At: Fri, 04 Dec 2015 00:11:43 -0800
Cc: shutup@ietf.org, ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 02:31:59 -0000

Ted Lemon <mellon@fugue.com> writes:
> Thursday, Dec 3, 2015 9:00 PM Chris Lewis wrote:

>> If you have a list of IPs known to be infected with AUTH-cracking
>> spambots, it's of immediate/valuable use to both the MSAs themselves in
>> detecting malicious injects, as well as the recipient's filtering, and
>> header forgery is not an issue (certainly not to MSAs, and headers that
>> forge collisions with the list you don't want anyway).

> Can you unpack "AUTH-cracking spambots" for the greenhorns?  I have no
> idea what this means, and google unfortunately was unable to help.

Standard practice for attackers these days is to automate attacks on any
sort of password-protected system, whether that be web pages,
authentication providers, or anything else that takes a password.  Usually
this is done by taking some list of common passwords and some list of
account names and just brute-forcing combinations, although some attackers
do more sophisticated things.

Obviously, that sort of brute force approach is easy to detect and
throttle, so the next step in the arms race was for attackers to use large
networks of compromised machines, usually home machines behind DSL and
cable modem links, each of which tries a small number of passwords against
a variety of targets to stay below the radar.  Those machines were
generally compromised via malware of some kind and are part of a botnet,
without the knowledge of the user of the machine.

This is used against SMTP AUTH just like it is against anything else on
the Internet that takes a password.  The usual goal is to send out spam
using other people's valid credentials to bypass spam filtering, or to
send phishing or stock pump and dump schemes, or what have you.

One useful tool in fighting this sort of attack is to be able to collect
and share information about currently compromised client IP addresses so
that you can detect them as being part of a bot net and use much more
aggressive rate limiting on these sorts of attempts, or block any email
that they successfully sent after cracking someone's SMTP AUTH password.

-- 
Russ Allbery (eagle@eyrie.org)              <http://www.eyrie.org/~eagle/>