MessageJust FYI, I am putting together another paper as we speak on how to secure your mail servers against this type of attack. Should be online by this afternoon at the latest. Ok, this is where I need to ask for your guys help as well. If anyone here has experience with postfix or qmail, please let me know if you know ways of securing these mail servers from these kinds of attacks. I'm familiar with sendmail, exim, and exchange. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: Brian Bruns To: Bob German ; nanog@merit.edu Sent: Friday, October 10, 2003 11:12 AM Subject: Re: New mail blocks result of Ralsky's latest attacks? Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance. Exchage does a horrible job of logging, which is why they are probably being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use it). -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: Bob German To: nanog@merit.edu Sent: Friday, October 10, 2003 10:59 AM Subject: New mail blocks result of Ralsky's latest attacks? A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them. Could this be why everyone's locking up their mail servers all of a sudden? Does anyone know of a way to stop them? Bob