New mail blocks result of Ralsky's latest attacks?
A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them. Could this be why everyone's locking up their mail servers all of a sudden? Does anyone know of a way to stop them? Bob
MessageTis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance. Exchage does a horrible job of logging, which is why they are probably being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use it). -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: Bob German To: nanog@merit.edu Sent: Friday, October 10, 2003 10:59 AM Subject: New mail blocks result of Ralsky's latest attacks? A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them. Could this be why everyone's locking up their mail servers all of a sudden? Does anyone know of a way to stop them? Bob
Brian Bruns writes on 10/10/2003 8:42 PM:
Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance.
Exchange (and MDaemon) seem to be targeted extensively - they have admin:admin and guest:guest type default accounts that, if they aren't locked down, can be used to AUTH and send out mail. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
He grabbed a couple of our customers' IMAIL servers, and I'm pretty sure discovered a few weak passwords by brute force. Bob -----Original Message----- From: Suresh Ramasubramanian [mailto:suresh@outblaze.com] Sent: Friday, October 10, 2003 11:27 AM To: Brian Bruns Cc: Bob German; nanog@merit.edu Subject: Re: New mail blocks result of Ralsky's latest attacks? Brian Bruns writes on 10/10/2003 8:42 PM:
Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance.
Exchange (and MDaemon) seem to be targeted extensively - they have admin:admin and guest:guest type default accounts that, if they aren't locked down, can be used to AUTH and send out mail. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
MessageJust FYI, I am putting together another paper as we speak on how to secure your mail servers against this type of attack. Should be online by this afternoon at the latest. Ok, this is where I need to ask for your guys help as well. If anyone here has experience with postfix or qmail, please let me know if you know ways of securing these mail servers from these kinds of attacks. I'm familiar with sendmail, exim, and exchange. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: Brian Bruns To: Bob German ; nanog@merit.edu Sent: Friday, October 10, 2003 11:12 AM Subject: Re: New mail blocks result of Ralsky's latest attacks? Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance. Exchage does a horrible job of logging, which is why they are probably being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use it). -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 ----- Original Message ----- From: Bob German To: nanog@merit.edu Sent: Friday, October 10, 2003 10:59 AM Subject: New mail blocks result of Ralsky's latest attacks? A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them. Could this be why everyone's locking up their mail servers all of a sudden? Does anyone know of a way to stop them? Bob
On Fri, 10 Oct 2003 10:59:46 -0400 "Bob German" <bobgerman@irides.com> wrote:
A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a sudden?
Does anyone know of a way to stop them?
Sure drive to the address provided with a cluebat, ask for Alan. 6747 Minnow Pond Drive West Bloomfield, MI Despite all the spam coming from China, they've siezed Alan's equipment and shot (I can't find coverage on this one in the American or European press) at least two indigenous spammers (I always happily note on spam LART's to China that I'll pay for the bullet and shipping for the shell casing to my door if invoiced).
Bob
-- Andrew D Kirch | trelane@2mbit.com | Security Admin | Summit Open Source Development Group | www.sosdg.org
Cant speak for others, but the server that was blocked for us by Yahoo! is ACL'd by IP address. It would be very helpful if the Yahoo! folk could post an official explanation as to what happened so we can pass it on to our customers. e.g. a URL somewhere on Yahoo! ? ---Mike At 10:59 AM 10/10/2003, Bob German wrote:
A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a sudden?
Does anyone know of a way to stop them?
Bob
Bob German writes on 10/10/2003 8:29 PM:
A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a sudden?
Does anyone know of a way to stop them?
Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like - /^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky from cqnet.com.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 /^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky from cncgroup-hl. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669 srs (yes, this is a rather expensive set of checks) -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
on Fri, Oct 10, 2003 at 08:47:51PM +0530, Suresh Ramasubramanian wrote:
Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like -
<snip> Sendmail rulesets to block Ralsky: KRalsky1 regex -a@SPAM ^.*(\[|\(|\s)211\.158\.[3456789] KRalsky2 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[345] KRalsky3 regex -a@SPAM ^.*(\[|\(|\s)219\.153\.1[45] KRalsky4 regex -a@SPAM ^.*(\[|\(|\s)218\.10\.57 KRalsky5 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[01] KRalsky6 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.[89] KReceivedChecks sequence Ralsky1 Ralsky2 Ralsky3 Ralsky4 Ralsky5 Ralsky6 HReceived: $>check_header_Received Scheck_header_Received R$* $: $1 $| $(ReceivedChecks $&{currHeader} $) R$* $| @SPAM $#error $@ 5.7.1 $: "550 Message rejected; suspected spam signature." R$* $| $* $: $1 This will not help to block direct SMTP AUTH attacks; but they should block mail from other compromised servers, provided they don't munge the headers. I've been running these rules for several weeks without incident. HTH, Steve -- hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com Book publishing is second only to furniture delivery in slowness. -b. schneier
Out of curiousity, has anyone tried turning this over to law enforcement? It's another form of hacking, but the money trail back through the spammers might provide enough evidence for prosecution. --Steve Bellovin, http://www.research.att.com/~smb
Steven M. Bellovin writes on 10/10/2003 9:37 PM:
Out of curiousity, has anyone tried turning this over to law enforcement? It's another form of hacking, but the money trail back through the spammers might provide enough evidence for prosecution.
--Steve Bellovin, http://www.research.att.com/~smb
Al Ralsky already has a record, as it is. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
At 09:07 AM 10/10/2003, Steven M. Bellovin wrote:
Out of curiousity, has anyone tried turning this over to law enforcement? It's another form of hacking, but the money trail back through the spammers might provide enough evidence for prosecution.
From my read, it sounds sufficient in its own right. This month's Communications of the ACM has an interesting article on addressing it as "trespass on chattel" - attacking someone's property in a manner that reduces their ability to use it or uses it without their permission for purposes they don't agree with. Breaking into a server and using it for a purpose its own doesn't authorize sounds a lot like trespass against chattel to me. It might be interesting for him to wake up in the morning with 50 lawsuits at his door seeking damages in the quantity of money spent horsing around with him.
participants (8)
-
Andrew D Kirch
-
Bob German
-
Brian Bruns
-
Fred Baker
-
Mike Tancsa
-
Steven Champeon
-
Steven M. Bellovin
-
Suresh Ramasubramanian