While we do see an increase in AUTH attacks from Amazon AWS, it is still
a drop in the bucket compared to traditional attack sources. And there
is not enough evidence yet to see if this is actual hacker's with their
own resources, vs simply hacker's who have compromised someone else's
resources there. This is a similar pattern to what is seen at other
large providers.
However, we do empathize with you regarding the Amazon support when
trying to report such attacks.. I personally have got the generic,
'Sorry, we don't who was on that IP at that exact time' response..
But in essence, you will have to address this like all other
authentication attacks. I would not go as far as saying block all AWS
from authenticating, there could be legitimate applications designed to
access email accounts. Of course, you should do your best to ensure
that at least the script kiddie authentication attempts are blocked, or
used to trigger blocking mechanisms.
And in general, expect a lot more of these types of attacks, as hackers
now find that they get more value from compromising email accounts, than
just to use them to spam.
You could throw support behind our CLIENTID initiatives ;)
2018 we spent a lot of development time behind this emerging threat,
including our Advanced Threat Detection tools, but authentication to
legacy protocols will have to change in order to encompass all of the
threats.
Now, if we can just get everyone to BLACKHOLE the really bad 'hosting
companies' <sic> which are just fronts for large scale AUTH attacks and
other abuses.. which somehow got IP Space.
PS, Most of the AUTH attacks we see are still trying simply 'username'
instead of full 'emailaddress', so restricting authentication to full
email address should reduce much of the attacks. A lot of it is still
trying old compromised database information, from 2015 and earlier..
And there is a separate group doing dictionary attacks against common
names..
On 18-10-29 04:01 AM, Benoit Panizzon wrote:
Hi List
We increasingly notice, that when an account got phished, it is being
abused to send spam from usually one or two Amazon AWS US IP Addresses
simultaneously, staying below our account auto-block thereshold.
Quite some time in the past, when I first observed this, contacted the
Amazon Abuse Desk, including the infos they provide in their WHOIS
entry in the past, but newer ever got any kind of reaction.
Now I am curious, do others also make this observation?
How about blocking the Amazon AWS IP ranges? Are there any legitimate
emails being send by them?
Well I could try to block them only for Authenticated SMTP submission,
not for MX operation.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
