At 5:03 PM -0600 10/28/03, Chris Wagner imposed structure on a11:47:09 1 SMTP {web} AUTH failed: password(54321) is wrong. Connection from [218.70.9.34:3101] 11:47:10 0 SYSTEM Account {web} Resources open failed. Error Code=-43 11:47:10 1 SMTP {web} AUTH failed: password(00000000) is wrong. Connection from [218.70.9.34:3101]
Looks like SIMS knocked them out, and that's fine, just was wondering.
It is a concern because they can go on like this all day long, and will. The conventional wisdom among spam-fighters is that a large slice of these attacks from Chinese address space are the work of Alan Ralsky, one of the sleaziest and most successful spammers around. Spam which looks like his work has been seen coming from addresses in China relayed through machines that look like they are not open relays, but frequently are running Exchange.
That's right, Ralsky has between 5 and 10 servers in China which he connects to from his Detroit basement via VPN. Much of Ralsky's spam these last couple of months has been coming through real SMTP servers using SMTP AUTH, basically as you say - Ralsky does it by running attacks on MTAs trying obvious combinations of usernames/passwords.
The only defence is to use good passwords (and educate customers to use good passwords) with combinations of characters+numbers. Too many users use passwords like "Fred"...
You're only real protection is a very strong postmaster password, few other guessable accounts that seem admin-like in name and for most people, a firewall block on 218.70.0.0/16.
-- Steve Linford Ultradesign Xtreme Network http://www.uxn.com
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
