On 6 Oct 2017, at 14:19, Brandon Long wrote:
Are you sure they're trying a slow dictionary attack?
It varies. I've seen both dictionary attacks of varying speeds (from
many per second to a few per minute) using a dictionary of common names
and role accounts AND relatively slow runs *from multiple ips* of the
same set of email addresses with and without domains in the same order
every time, no quicker than 2/minute. These are probably mostly password
reuse attacks, since the addresses are strictly email address
identities, NOT authentication identities (e.g. see my address...) On
the other hand, some of the addresses are ones that have been only used
for mailing lists and don't seem to have been compromised, so it isn't
clear what the attackers think they are doing with those.
That seems unlikely
to be useful,
It's not exactly news that spammers are not terribly bright in general
and frequently use extremely low-yield (even entirely futile) modes of
attack. For example:
• Cutwail has been using the same idiosyncratically bogus HELO
behavior for many years.
• I get authentication attempts on port 25 listeners which never
advertise (and do not have) SMTP AUTH support.
• I get attack runs making plaintext authentication attempts on
unencrypted POP3 and IMAP sessions despite the fact that they both
explicitly disallow that.
perhaps instead they are using known passwords looking for
reuse, that's been our experience.
Yes, there's surely some of that.
Anyways, passwords are so broken now, we have to have an entire
permission
flow to see whether an access is likely from the actual user and not a
hijacking attempt, and we pushed most users to oauth instead. I
realize
oauth doesn't scale as is, they need to get the discovery and auto
registration stuff done, haven't looked at the status of that in a
couple
years.
As far as email goes, I don't think passwords are really so broken as
long as you split mail routing identities from authentication
identities. For example, I have used an unknown number of email
addresses in the scconsult.com and billmail.scconsult.com domains, many
of which remain usable in the sense that mail sent to them will very
likely reach my eyes. No system I run recognizes any of those addresses
(with or without the domain part) as an authentication identity, not
even the IMAP server hosting the single account to which they all get
delivered. There has never been any attempt to crack that account,
because the username isn't a mailable address. I have implemented
similar models on much larger scales with the only problem being a tiny
minority (<1%) of users who require being told twice that their username
and their email address are 2 different things which don't closely
resemble each other.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
