Re: [Shutup] [ietf-smtp] Levels of proposals

Ned Freed <ned.freed@mrochek.com> Fri, 04 December 2015 19:31 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A80C1B32B8; Fri, 4 Dec 2015 11:31:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Level:
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uh-4iQPx22_Y; Fri, 4 Dec 2015 11:30:59 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.159.242.17]) by ietfa.amsl.com (Postfix) with ESMTP id 537C81B32B7; Fri, 4 Dec 2015 11:30:59 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PTVNQ7HSS000C3B6@mauve.mrochek.com>; Fri, 4 Dec 2015 11:25:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mrochek.com; s=mauve; t=1449257156; bh=hLP3qZCjs+6bi9MmcTOrt6HgB0xXSqwzEI1Vc78wZIw=; h=Cc:Date:From:Subject:In-reply-to:References:To; b=FX5tTPMkaEvXky+bCDvcZVm+DVmjBLVFntHnBf/p/tu9CRde5H8n5WOUq69ouy7Lt QVWomTsXjKBvT+72u3vQmgP4xMX4gQN1v5IALKhU41oRZuzo5fxo4JJ06wdbRcl6xS bNHUGk3BaaRxDIASUMiYzRtIWSmOVMs0H0gpcFr8=
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii; Format=flowed
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PTVFL0BHTS018EYG@mauve.mrochek.com>; Fri, 04 Dec 2015 11:25:53 -0800 (PST)
Message-id: <01PTVNQ5DSQK018EYG@mauve.mrochek.com>
Date: Fri, 04 Dec 2015 11:18:21 -0800 (PST)
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Fri, 04 Dec 2015 11:31:36 -0500" <5661BFE8.2070706@mustelids.ca>
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com> <5660F3A1.7060807@mustelids.ca> <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com> <566190E2.9090301@mustelids.ca> <5661B844.4050605@isdg.net> <5661BFE8.2070706@mustelids.ca>
To: Chris Lewis <ietf@mustelids.ca>
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/OfL6LQli38dNyfZjgEdtZOlq3BE>
Cc: shutup@ietf.org, ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 19:31:00 -0000

> On 12/04/2015 10:59 AM, Hector Santos wrote:
> > On 12/4/2015 8:10 AM, Chris Lewis wrote:

> >> AUTH-cracking to this extent is a relatively recent phenomena, and is
> >> clearly being used as an attempt to bypass normal direct-2-MX botnet
> >> blocking and hijack the reputation of the MTA instead of some random
> >> cracked PC.

> > Hi, I'm surprise to read you say this is "relatively recent."  Are you
> > mean in months, years or one to several decades?

> I should say that "back in the day", SMTP-auth from BOTs was
> sufficiently rare that it could safely be ignored.

> SMTP-auth from bot started in a noticable fashion about 2-3 years ago
> and continuing to rise to extreme levels in the past 6-12 months.  To
> some MSAs, the impacts were obvious before that.

FWIW, our customers are seeing this as well. It used to be that AUTH-cracking
on SUBMIT was a nonissue, now it's something you can't safely ignore.

I even see it on my home system. It kinds of amazes me that my little box is
seen as a target worth spending time banging on, but my logs show ~12,000
password guessing attempts in the last 12 hours. (It's all coming from Hong
Kong, the IPs doing it are in the SBL, and it seems to be driven on a generic
list of likely account names, not anything more targeted.)

> To me, this is "relatively recent".  Sorry, should have clarified.

> As a MUCH more recent development, remember "open relay"?  That was
> obsolete 10 years ago, and except for a couple of low volume Chinese
> spammers, not seen at all.  Well, guess what?  One extremely prolific
> spambot started doing it in very high volumes less than a month ago.
> That's right, spambots attempting to open relay through MTAs.  Shipping
> almost exclusively malware at that.

We're also getting reports of activities that look like attempts to trick
MTAs into relay through the use of oddball address formats, some legal,
some not. Not sure if this is what you're seeing or not.

				Ned