On 11/20/2002 at 12:40 PM, <JOE@OREGON.UOREGON.EDU> wrote:

In addition to thousands of open relays, which are bad enough in their own right, there are also thousands of open proxy servers which a growing number of spammers have been using to launch spam runs lately. I suspect that's what you're seeing.

Almost all SMTP dictionary-crack attacks are done through open proxies, otherwise it's a "delivery attack" carrying actual spam. Some ISPs seem to have problems understanding the concept that log evidence showing 200 unknown users being probed is in-your-face evidence of illegal trespass and accessing another host/network without authorization. Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist Verifier Pro) pumps out, specifically uses "rotating proxies" to do its illegal work. Talk about a company not worth defending, even if it's against the DMCA. Dimitry should find himself a more ethical employer, even if Adobe was wrong on this to begin with.

If you aren't blocking traffic from open proxy servers via a dns blacklist, I predict that you will definitely see increasingly aggressive spam attacks coming in from diverse locations (although the more you look at the problem, the easier it becomes to identify the handful of carriers who are open proxy-tolerant).

If you don't use at least several DNSBL's, you are already DEAD from dictionary attacks, I'd say. I have personally observed an attack against a DS3-connected server from a single source IP, ratcheting through 2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to hide very well, they are trying to crack through your mail server at maximum speeds, with 10-25 probes per connection. There is a demonstration patch for Sendmail to slow down the SMTP dialogue (at the expense of keeping the process in memory too long, and long after the attacking host disconnects) at http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt Do not use this in production, unless you really know what you are doing and are tongue-in-cheek with Sendmail and its source: it has several deficiencies that are obvious to a good observer (and tester) and that may impede or render it useless to most. I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to optionally drop processing arguments for a given SMTP dialogue if the client host disconnects the TCP connection prematurely [while not in "pipeline" mode, but the latter was not part of the argument]. This is very much Sendmail-specific, so you may ignore this.

[I will also say that it would really be great if mail-abuse.org would add an open proxy listing project to complement their RSS, DUL, and other initiatives.]

What we really want is a DNSBL that lists SMTP dictionary-crack attacks in real-time. The overlap of the mechanics required for running this with other DNSBL's are obvious: Unfortunately I could only spare some expertise, but not a whole lot of time or expenses to set something like that up (and merge it into an existing DNSBL such as Osirusoft's as far as day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed or not, but other significant reasons are holding up its release right now, in case you were going to ask. bye,Kai