Re: Weird distributed spam attack

Hi, #Here is the kicker. I check where these are coming from, they #are from all over the place. I check for IP address spoofing... #not happening. No IP options or TCP options. # #This came from like about 300 different networks, and yes #I don't accept source routing (IP Options). In addition to thousands of open relays, which are bad enough in their own right, there are also thousands of open proxy servers which a growing number of spammers have been using to launch spam runs lately. I suspect that's what you're seeing. You can see some of the open proxy servers that we've seen traffic from at http://darkwing.uoregon.edu/~joe/open-proxies-used-to-send-spam.html If you aren't blocking traffic from open proxy servers via a dns blacklist, I predict that you will definitely see increasingly aggressive spam attacks coming in from diverse locations (although the more you look at the problem, the easier it becomes to identify the handful of carriers who are open proxy-tolerant). [I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.] Regards, Joe

--On Wednesday, November 20, 2002 9:40 AM -0800 Joe St Sauver <JOE@OREGON.UOREGON.EDU> wrote:
[I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.]
They go on the RBL - largely due to the existance of AS7777, in a manner similar to the way listings happen on the RSS. If we have spam via an open proxy and it tests open, it gets listed. I've got some contract coding work (sh, perl, some C) related to this available if any of you folks in the Bay Area have some spare cycles. (We're also hiring full time for some other positions - feel free to ping me). -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Margie Arbon Mail Abuse Prevention System, LLC margie@mail-abuse.org http://mail-abuse.org

On 11/20/2002 at 12:40 PM, <JOE@OREGON.UOREGON.EDU> wrote:
In addition to thousands of open relays, which are bad enough in their own right, there are also thousands of open proxy servers which a growing number of spammers have been using to launch spam runs lately. I suspect that's what you're seeing.
Almost all SMTP dictionary-crack attacks are done through open proxies, otherwise it's a "delivery attack" carrying actual spam. Some ISPs seem to have problems understanding the concept that log evidence showing 200 unknown users being probed is in-your-face evidence of illegal trespass and accessing another host/network without authorization. Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist Verifier Pro) pumps out, specifically uses "rotating proxies" to do its illegal work. Talk about a company not worth defending, even if it's against the DMCA. Dimitry should find himself a more ethical employer, even if Adobe was wrong on this to begin with.
If you aren't blocking traffic from open proxy servers via a dns blacklist, I predict that you will definitely see increasingly aggressive spam attacks coming in from diverse locations (although the more you look at the problem, the easier it becomes to identify the handful of carriers who are open proxy-tolerant).
If you don't use at least several DNSBL's, you are already DEAD from dictionary attacks, I'd say. I have personally observed an attack against a DS3-connected server from a single source IP, ratcheting through 2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to hide very well, they are trying to crack through your mail server at maximum speeds, with 10-25 probes per connection. There is a demonstration patch for Sendmail to slow down the SMTP dialogue (at the expense of keeping the process in memory too long, and long after the attacking host disconnects) at http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt Do not use this in production, unless you really know what you are doing and are tongue-in-cheek with Sendmail and its source: it has several deficiencies that are obvious to a good observer (and tester) and that may impede or render it useless to most. I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to optionally drop processing arguments for a given SMTP dialogue if the client host disconnects the TCP connection prematurely [while not in "pipeline" mode, but the latter was not part of the argument]. This is very much Sendmail-specific, so you may ignore this.
[I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.]
What we really want is a DNSBL that lists SMTP dictionary-crack attacks in real-time. The overlap of the mechanics required for running this with other DNSBL's are obvious: Unfortunately I could only spare some expertise, but not a whole lot of time or expenses to set something like that up (and merge it into an existing DNSBL such as Osirusoft's as far as day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed or not, but other significant reasons are holding up its release right now, in case you were going to ask. bye,Kai

On Wed, Nov 20, 2002 at 09:40:50AM -0800, Joe St Sauver wrote:
In addition to thousands of open relays, which are bad enough in their own right, there are also thousands of open proxy servers which a growing number of spammers have been using to launch spam runs lately. I suspect that's what you're seeing.
I agree--that's a strong possibility. This week, I released a tool to test open proxies. <http://www.unicom.com/sw/pxytest>
[I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.]
I believe RBL will list open proxies. Another good resource is the Blitzed Open Proxy Monitor (BOPM) <http://www.blitzed.org/bopm/>. -- Chip Rosenthal * chip@unicom.com * http://www.unicom.com/ Lawsuit Update: I Win, Domain Hijackers Lose * http://save.unicom.com/
participants (4)
-
Chip Rosenthal
-
Joe St Sauver
-
Kai Schlichting
-
Margie Arbon