Re: [Shutup] [ietf-smtp] Levels of proposals

Chris Lewis <> Fri, 04 December 2015 16:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AC4631A8A4E; Fri, 4 Dec 2015 08:31:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.242
X-Spam-Level: **
X-Spam-Status: No, score=2.242 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZhbtpEWtFJAB; Fri, 4 Dec 2015 08:31:38 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B99901A8AAE; Fri, 4 Dec 2015 08:31:37 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4GVaYE015438 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 11:31:36 -0500
References: <> <> <> <> <>
From: Chris Lewis <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Fri, 4 Dec 2015 11:31:36 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090812 Thunderbird/ Mnenhy/
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 16:31:38 -0000

On 12/04/2015 10:59 AM, Hector Santos wrote:
> On 12/4/2015 8:10 AM, Chris Lewis wrote:

>> AUTH-cracking to this extent is a relatively recent phenomena, and is
>> clearly being used as an attempt to bypass normal direct-2-MX botnet
>> blocking and hijack the reputation of the MTA instead of some random
>> cracked PC.

> Hi, I'm surprise to read you say this is "relatively recent."  Are you
> mean in months, years or one to several decades?

I should say that "back in the day", SMTP-auth from BOTs was 
sufficiently rare that it could safely be ignored.

SMTP-auth from bot started in a noticable fashion about 2-3 years ago 
and continuing to rise to extreme levels in the past 6-12 months.  To 
some MSAs, the impacts were obvious before that.

To me, this is "relatively recent".  Sorry, should have clarified.

As a MUCH more recent development, remember "open relay"?  That was 
obsolete 10 years ago, and except for a couple of low volume Chinese 
spammers, not seen at all.  Well, guess what?  One extremely prolific 
spambot started doing it in very high volumes less than a month ago. 
That's right, spambots attempting to open relay through MTAs.  Shipping 
almost exclusively malware at that.

Fun eh?