Re: [Declude.JunkMail] Distributed Dictionary Attack
Dave, I've noticed that on my box with only about 60 domains, there's several distributed dictionary attacks every day. They seem to be controlled from a central location because the order is roughly the same across the different IP addresses they use. Mine have been spaced out and fairly low in volume, and I've seen them do this to domains with only one account. These attacks use mostly real names, although the Joe-Jobs using our domains and directed at large ISP's seemingly use more of a hacking sort of attack, trying every combination and lasting for weeks at times. I've found that many of these attacks originate from North Korea and China, and there's a good chance that there's someone on this side of the Ocean that is typing in the commands. #1 ROKSO spammer Alan Ralsky seems to be Asia's largest spam customer, and he enables a lot of this stuff. I wouldn't be surprised if someone connected to him was responsible for the viruses that have been used to create spam zombies. He certainly profits from the use of these machines. This is also the guy that has involvement in the recent Habeas spoofing for that drug site (the payload was hosted on his IP space in China). This stuff either comes from zombies controlled by IP's in unfriendly countries, or it comes from unfriendly countries. Good luck serving a warrant. It might be a better idea to look at the payloads and figure out what the connections are. SBL probably tracks much of that stuff if you simply resolve the domain name to an IP address and look for patterns. BTW, was this a large domain that's being attacked, or do these guys just simply stupid abusive idiots (as opposed to smart abusive idiots I guess)? Matt Dave Doherty wrote: Hi, everyone- I've seen dictionary attacks before, but this one is impressive! I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seeminglyoriginatingfrommore than 10,000 IP addresses. The content is random everyday spams, with nothing in particular in common. Of course, there are many dupes, but I can find nothing that looks like a common source for this.Most of the "to" addresses are or could be names, apparently not random sequences of letters and numbers. Examples - aaronj, aaronp, aaronv, ctuck, ctucker, ctuna, etc. I have placed this domain on adedicated box that is handling it just fine by rejecting the messages withinvalid usererrors, and I wrote a quick little utility that parses the logs into SQL Server and tells me how many of these we're getting and where they seem to be coming from. As of 4PM today: 275,000 messages to 42,000 addresses at this domain, from 14,000 IPs. I've been blocking the worst offenders in the system before they get to the mail server, but it's hardly making a dent since the worst offender in yesterday's log sent about 5,000 messages, and the top ten combined sent only about 25,000. My hope is that we will figure out a common source that is spoofing all these IPs.So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the "real"IP as opposed to the "spoofed" IP work? All suggestions are greatly appreciated. I understand that we all have secret stuffwe do to protect our systems, so feel free to contact me off-list at [EMAIL PROTECTED]if you thinkthat is more appropriate. And my thanks to Scott Perry and Pete McNeil, who have been very helpful in combatting this already. Thanks! Dave Doherty Skywaves, Inc. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Distributed Dictionary Attack
I've seen dictionary attacks before, but this one is impressive! I have a customer who has eight email addresses and some aliases on his single domain. We have an ongoing problem with a distributed dictionary attack again this domain, and I'm talking a serious attack here - over half a million messages a day for the last week, seemingly originating from more than 10,000 IP addresses. Another possibility is that this isn't a dictionary attack -- but instead, the nobody alias was enabled in the past at a time that a dictionary attack occurred, and the spammer was dumb (surprise!) and thought that all the addresses existed. If that is the case, now they are just sending spam to the addresses they think are valid. It would also account for the huge number of IPs sending the spam -- it is quite common for the organized spammers to do that. My hope is that we will figure out a common source that is spoofing all these IPs. So, how can I tell when an IP address has been spoofed? Will a packet sniffer reveal that? And will blocking the real IP as opposed to the spoofed IP work? It would be nice if it were that easy. Unfortunately (fortunately?), spoofed IPs are extremely rare. What that means is that these are probably compromised servers sending the spam, and therefore they have the spammer's program on them. The spammer doesn't want you knowing his IP, so it isn't available anywhere. What surprises me is that law enforcement agencies haven't gone after perhaps a few dozen compromised servers, run a packet sniffer, and checked to see what IP(s) are controlling the compromised servers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
R. Scott Perry wrote: What surprises me is that law enforcement agencies haven't gone after perhaps a few dozen compromised servers, run a packet sniffer, and checked to see what IP(s) are controlling the compromised servers. The reason is probably because these machines are generally hijacked from countries where you would have a real hard time serving the IP owners with papers. When I moved to scanning on multiple hops, my SBL hits increased by about 33%, probably because of zombies being controlled from such space and where the zombie is simply relaying instead of being directly hacked (therefore exposing the previous hops). Just guessing of course. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Distributed Dictionary Attack
Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
My own experience, and what appears to be David's, is that this stuff doesn't generally come in waves from just one machine. Collecting the IP's might be useful for blacklisting at a router level, but the list would be very long. Like Scott said earlier, this probably is just a spammer using a bad list of addresses that they gathered from attacking a domain with the nobody alias. Dave, I'm just wondering how much load it is to be rejecting these messages at the HELO, provided that you have the nobody alias turned off. That's definitely a ton of load, but if IMail hangs up on it before the message is sent, I'm thinking that the resource hit won't be that bad. If you want to save yourself some time, and don't get any legit Chinese or Korean traffic, there's a site that has this data in Cisco ACL format as well as others: http://www.okean.com/asianspamblocks.html Blackholes.us has text files for other countries, Taiwan for instance, but you would need to code this up for your router from what they provide. Matt Jason wrote: Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Distributed Dictionary Attack
That sounds like a great idea, Jason. Do you think it will stand up to this volume? -d - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:09 AM Subject: RE: [Declude.JunkMail] Distributed Dictionary Attack Try running Black ICE on the server. It does a pretty decent job of auto blocking dictionary attacks. We have it set to close and block a connection after 6 invalid users from an ip in 30 seconds Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, February 04, 2004 11:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack The interesting thing about these messages is that the ones I've seen generally don't have multi-hop trails. They look like a zombie connecting directly to the mail server. The blocklists are great, but at that volume, I can't run Declude on the messages without killing the server. So I seem to have two options, both of which I am using: block the IPs before the server, and issue invalid user errors. One othe thing i noticed this evening that points to a coordinated effort: There is very little duplication of the to addresses. The most commonly duplicated address was used only about 150 times in a sample of 275,000 attempts. This is a small domain, one of about 500 on my system, and it has maybe eight or nine mailboxes. Country sources include a lot of Korea and Taiwan, and I have actually blocked some very large blocks of IP addresses in those places based on the source IPs being well distributed. But there are a lot coming from Canada and the US, also. I've seen a lot of the usual suspects - Comcast, Road Runner, and Rogers. -Dave --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
