Re: [Shutup] [ietf-smtp] Levels of proposals

[Chris Lewis <ietf@mustelids.ca>]

On 12/03/2015 09:11 PM, Ted Lemon wrote:

> Can you unpack "AUTH-cracking spambots" for the greenhorns?   I have no idea what this means, and google unfortunately was unable to help.

Primarily botnets that connect to MSAs and use stolen (or potentially 
brute-forced) userid/password credentials in order to use the MSA/MTA 
combo as an open relay.

There's at least one major windows executable botnet that does this in 
very high volumes.  This is a particularly long-standing botnet that has 
many other nasty tricks at its disposal (DDOS, keystroke harvesting, 
account stealing etc).

There are several web server compromises that do the same thing, 
potentially using the same sources for compromised userid/passwords, 
tho, these aren't nearly the volume as the aforementioned botnet.

It's really quite surprising how successful that some spam campaigns are 
in doing this, and I can only imagine that at least part of it is  the 
botnet dredging out an infected user's MSA/userid/password triple from 
their mail reader and propagating it to the rest of the botnet (along 
with harvesting address books), and hence have enormous numbers of 
compromised accounts to exploit.  They may also be using more generic 
userid/password dumps from online site leaks.

We've seen ISPs subject to massive attacks where hundreds or thousands 
(or more) of different IPs do authenticated MSA submissions of 10s or 
100s of thousands of spams in fairly short (hours) intervals, resulting 
in traffic flows 100s of times above normal to the point of overloading 
the ISP's MSAs.  This is even with quite aggressive per-user and per-IP 
rate limiting.

AUTH-cracking to this extent is a relatively recent phenomena, and is 
clearly being used as an attempt to bypass normal direct-2-MX botnet 
blocking and hijack the reputation of the MTA instead of some random 
cracked PC.