> Actually, I really don't think that this looks like a brute force > password attack. The log clearly shows a dictionary-style attack of > hundreds of "legitimate-looking" user names -- not repeated attempts > to hack any particular account.
It may be an inverted brute-force attack, where is the password is constant but the username is variable. Why? Because it's common for a non-negligible number of users on large mail systems to have their passwords set to a known default: on IMail, this is of course 'password.' Others may have their passwords set to their username, for the reasons Dave noted. Why would owning any POP3 account be valuable? Because the POP3 credentials double as the SMTP AUTH credentials. Why would having SMTP AUTH credentials be valuable? Because it grants you a pass on local spam checks and makes relay spam possible yet again. It's a powerful weapon for the bad guys, and some in the anti-spam community have expected a period of widespread SMTP AUTH compromise, though it hasn't happened yet. We largely closed the door on open relays a while ago, but a closed relay that can be opened with an well-known password is a sitting duck. On the other hand, yes, you may be right that this particular incident was a low-end DoS attack that was guessing passwords to pass the time and suck a bit more resources, instead of just passing NOOPs. If this were conducted on a large *and random* scale by the botnets (which, as Len mentioned, are used in targeted extortion campaigns, but not AFAIK for random DoS escapades as yet) this would certainly not not have any usefulness for the spammers who co-own the botnets -- because spammers need your mailserver to be up and running. Could the bad guys be deciding to expand their DoS business at the expense of their spam business? Absolutely. And those hundreds of thousands of sites running off T1s or slower really couldn't withstand a deliberate DoS of _any_ service, be it HTTP, SMTP, whatever. It's by the grace of luck and middling revenue that most businesses are not targeted... although, all other things being equal, purposely ambiguous and spammer-friendly spam legislation is, I would suggest, also a "pro" on the side of spam, while the distinct illegality of DoS attacks would be a "con" for the bad guys moving wholly into that area. My main advice to you is to start implementing an IDS/IPS system and setting your alarm thresholds low. Don't expect your server software to fend off attacks at the application level. At that point, you're pretty much already sunk. And don't relax. That's not what they pay us for. :) --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
