Re: [Shutup] [ietf-smtp] Levels of proposals

Chris Lewis <ietf@mustelids.ca> Fri, 04 December 2015 13:11 UTC

Return-Path: <ietf@mustelids.ca>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 564E01B3149; Fri, 4 Dec 2015 05:11:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.043
X-Spam-Level: ***
X-Spam-Status: No, score=3.043 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIx97EAxfqPz; Fri, 4 Dec 2015 05:11:01 -0800 (PST)
Received: from stoat.mustelids.ca (unknown [174.35.246.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BEC91B3147; Fri, 4 Dec 2015 05:11:01 -0800 (PST)
Received: from [192.168.0.6] (badger.mustelids.ca [192.168.0.6]) (authenticated bits=0) by stoat.mustelids.ca (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4DAw7H020750 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 08:10:59 -0500
To: shutup@ietf.org
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com> <5660F3A1.7060807@mustelids.ca> <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com>
From: Chris Lewis <ietf@mustelids.ca>
X-Enigmail-Draft-Status: N1110
Message-ID: <566190E2.9090301@mustelids.ca>
Date: Fri, 4 Dec 2015 08:10:58 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
In-Reply-To: <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/vAEjoCjto59TGzgiax3q-rmakSQ>
Cc: ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 13:11:02 -0000

On 12/03/2015 09:11 PM, Ted Lemon wrote:

> Can you unpack "AUTH-cracking spambots" for the greenhorns?   I have no idea what this means, and google unfortunately was unable to help.

Primarily botnets that connect to MSAs and use stolen (or potentially 
brute-forced) userid/password credentials in order to use the MSA/MTA 
combo as an open relay.

There's at least one major windows executable botnet that does this in 
very high volumes.  This is a particularly long-standing botnet that has 
many other nasty tricks at its disposal (DDOS, keystroke harvesting, 
account stealing etc).

There are several web server compromises that do the same thing, 
potentially using the same sources for compromised userid/passwords, 
tho, these aren't nearly the volume as the aforementioned botnet.

It's really quite surprising how successful that some spam campaigns are 
in doing this, and I can only imagine that at least part of it is  the 
botnet dredging out an infected user's MSA/userid/password triple from 
their mail reader and propagating it to the rest of the botnet (along 
with harvesting address books), and hence have enormous numbers of 
compromised accounts to exploit.  They may also be using more generic 
userid/password dumps from online site leaks.

We've seen ISPs subject to massive attacks where hundreds or thousands 
(or more) of different IPs do authenticated MSA submissions of 10s or 
100s of thousands of spams in fairly short (hours) intervals, resulting 
in traffic flows 100s of times above normal to the point of overloading 
the ISP's MSAs.  This is even with quite aggressive per-user and per-IP 
rate limiting.

AUTH-cracking to this extent is a relatively recent phenomena, and is 
clearly being used as an attempt to bypass normal direct-2-MX botnet 
blocking and hijack the reputation of the MTA instead of some random 
cracked PC.