For the record, (just back from M3AAWG, what a great event) AUTH attacks
from Tor networks ARE a thing.
While it might seem that the number of attacks from Tor Nodes, vs
legitimate AUTH requests from people that like using Tor for everything
is really one sided..
(Don't get me wrong, even we block Tor networks occassionally for
different reasosn)
.. you need to treat this the same as if it was 10,000's of people
behind the airport Wifi, or Carrier Grade NAT.
Consider how you would safely block the bad guys, yet let the good guys
still use the service. Which brings me to my favorite topic, 2FA for
IMAP/SMTP Auth, as many of you know.. (we talk about CLIENTID often enough).
It is a good thought exercise to look at this in the larger picture,
rather than being a Tor problem, (albeit their are completely different
abuse reporting options at a large CGN network), the problem is still
the same, how to address safely separating the good from the bad in a
world where IPv4 reputation is no longer viable alone.
On 2020-02-21 10:38 a.m., Alessandro Vesely via mailop wrote:
Hi,
On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote:
The Spamtrap / HoneyPot in question not only listens to port 25 but also
listens on port 465 (smtps) and 587 (submission).
If an attacker is doing some dictionary attack on this to check for
valid passwords (every authentication attempt is accepted) or attempts
to relay spam mails (every relay attempt is answered with 200 OK) he
is being blacklisted and an ARF reports is sent to the abuse contact of
the submitting IP range.
This is what causes those reports, not emails received on port 25.
But I guess, just silently blacklisting Tor exist nodes and not sending
a ARF report to the ISP could be an option to solve that issue.
If you can detect Tor exit nodes, maybe you can fail authentication when it
comes from those IPs. That may make sense if the Tor host is able to detect
multiple authentication failures and somehow stop the user. What do they say?
I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy.
Perhaps, they have a real time incident reporting system to catch miscreants.
Cooperation would increase the value of both your honeypots and their nodes.
Best
Ale
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
