Re: [Shutup] [ietf-smtp] Levels of proposals
Chris Lewis <ietf@mustelids.ca> Fri, 04 December 2015 13:11 UTC
Return-Path: <ietf@mustelids.ca>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 564E01B3149; Fri, 4 Dec 2015 05:11:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.043
X-Spam-Level: ***
X-Spam-Status: No, score=3.043 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIx97EAxfqPz; Fri, 4 Dec 2015 05:11:01 -0800 (PST)
Received: from stoat.mustelids.ca (unknown [174.35.246.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BEC91B3147; Fri, 4 Dec 2015 05:11:01 -0800 (PST)
Received: from [192.168.0.6] (badger.mustelids.ca [192.168.0.6]) (authenticated bits=0) by stoat.mustelids.ca (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4DAw7H020750 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 08:10:59 -0500
To: shutup@ietf.org
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com> <5660F3A1.7060807@mustelids.ca> <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com>
From: Chris Lewis <ietf@mustelids.ca>
X-Enigmail-Draft-Status: N1110
Message-ID: <566190E2.9090301@mustelids.ca>
Date: Fri, 04 Dec 2015 08:10:58 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
In-Reply-To: <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/vAEjoCjto59TGzgiax3q-rmakSQ>
Cc: ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 13:11:02 -0000
On 12/03/2015 09:11 PM, Ted Lemon wrote: > Can you unpack "AUTH-cracking spambots" for the greenhorns? I have no idea what this means, and google unfortunately was unable to help. Primarily botnets that connect to MSAs and use stolen (or potentially brute-forced) userid/password credentials in order to use the MSA/MTA combo as an open relay. There's at least one major windows executable botnet that does this in very high volumes. This is a particularly long-standing botnet that has many other nasty tricks at its disposal (DDOS, keystroke harvesting, account stealing etc). There are several web server compromises that do the same thing, potentially using the same sources for compromised userid/passwords, tho, these aren't nearly the volume as the aforementioned botnet. It's really quite surprising how successful that some spam campaigns are in doing this, and I can only imagine that at least part of it is the botnet dredging out an infected user's MSA/userid/password triple from their mail reader and propagating it to the rest of the botnet (along with harvesting address books), and hence have enormous numbers of compromised accounts to exploit. They may also be using more generic userid/password dumps from online site leaks. We've seen ISPs subject to massive attacks where hundreds or thousands (or more) of different IPs do authenticated MSA submissions of 10s or 100s of thousands of spams in fairly short (hours) intervals, resulting in traffic flows 100s of times above normal to the point of overloading the ISP's MSAs. This is even with quite aggressive per-user and per-IP rate limiting. AUTH-cracking to this extent is a relatively recent phenomena, and is clearly being used as an attempt to bypass normal direct-2-MX botnet blocking and hijack the reputation of the MTA instead of some random cracked PC.
- [Shutup] Levels of proposals Brandon Long
- Re: [Shutup] Levels of proposals Stephen Farrell
- Re: [Shutup] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Ted Lemon
- Re: [Shutup] [ietf-smtp] Levels of proposals Ted Lemon
- Re: [Shutup] [ietf-smtp] Levels of proposals Ted Lemon
- Re: [Shutup] [ietf-smtp] Levels of proposals Russ Allbery
- Re: [Shutup] [ietf-smtp] Levels of proposals Russ Allbery
- Re: [Shutup] [ietf-smtp] Levels of proposals Russ Allbery
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Ned Freed
- Re: [Shutup] [ietf-smtp] Levels of proposals Hector Santos
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals John Levine
- Re: [Shutup] [ietf-smtp] Levels of proposals Ned Freed
- Re: [Shutup] [ietf-smtp] Levels of proposals Chris Lewis
- Re: [Shutup] [ietf-smtp] Levels of proposals Brandon Long