Re: [mailop] [EXTERNAL] Re: Opinions? Email Abuse over TOR Network? (spamtraps)
Drat! Didn’t see you 😪 Aloha, Michael. — “Your Spam Specimen Has Been Processed,” From: mailop on behalf of Michael Peddemors via mailop Sent: Friday, February 21, 2020 10:57:09 AM To: mailop@mailop.org Subject: [EXTERNAL] Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps) For the record, (just back from M3AAWG, what a great event) AUTH attacks from Tor networks ARE a thing. While it might seem that the number of attacks from Tor Nodes, vs legitimate AUTH requests from people that like using Tor for everything is really one sided.. (Don't get me wrong, even we block Tor networks occassionally for different reasosn) .. you need to treat this the same as if it was 10,000's of people behind the airport Wifi, or Carrier Grade NAT. Consider how you would safely block the bad guys, yet let the good guys still use the service. Which brings me to my favorite topic, 2FA for IMAP/SMTP Auth, as many of you know.. (we talk about CLIENTID often enough). It is a good thought exercise to look at this in the larger picture, rather than being a Tor problem, (albeit their are completely different abuse reporting options at a large CGN network), the problem is still the same, how to address safely separating the good from the bad in a world where IPv4 reputation is no longer viable alone. On 2020-02-21 10:38 a.m., Alessandro Vesely via mailop wrote: > Hi, > > On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: >> >> The Spamtrap / HoneyPot in question not only listens to port 25 but also >> listens on port 465 (smtps) and 587 (submission). >> >> If an attacker is doing some dictionary attack on this to check for >> valid passwords (every authentication attempt is accepted) or attempts >> to relay spam mails (every relay attempt is answered with 200 OK) he >> is being blacklisted and an ARF reports is sent to the abuse contact of >> the submitting IP range. >> >> This is what causes those reports, not emails received on port 25. >> >> But I guess, just silently blacklisting Tor exist nodes and not sending >> a ARF report to the ISP could be an option to solve that issue. > > > If you can detect Tor exit nodes, maybe you can fail authentication when it > comes from those IPs. That may make sense if the Tor host is able to detect > multiple authentication failures and somehow stop the user. What do they say? > > I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. > > Perhaps, they have a real time incident reporting system to catch miscreants. > > Cooperation would increase the value of both your honeypots and their nodes. > > > Best > Ale > -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linuxmagic.com&data=02%7C01%7Cmichael.wise%40microsoft.com%7C64f1a7b801ac4773882508d7b7005392%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637179084392081103&sdata=GHLuDeDhSaLtfjhQblYb06vUPJRs%2BaOoRYZQdzmd3O4%3D&reserved=0 @linuxmagic A Wizard IT Company - For More Info https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wizard.ca&data=02%7C01%7Cmichael.wise%40microsoft.com%7C64f1a7b801ac4773882508d7b7005392%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637179084392081103&sdata=IQvm1jAi1QSb%2Fhc9fZNZCrUKJp9DHdbL5eaw%2B3WiUyk%3D&reserved=0 "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=02%7C01%7Cmichael.wise%40microsoft.com%7C64f1a7b801ac4773882508d7b7005392%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637179084392081103&sdata=%2FBvLLYu0Z6Td4Rhff7fZYl%2BIH0IMEjKxZkVY%2BXiX5ZM%3D&reserved=0 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
For the record, (just back from M3AAWG, what a great event) AUTH attacks from Tor networks ARE a thing. While it might seem that the number of attacks from Tor Nodes, vs legitimate AUTH requests from people that like using Tor for everything is really one sided.. (Don't get me wrong, even we block Tor networks occassionally for different reasosn) .. you need to treat this the same as if it was 10,000's of people behind the airport Wifi, or Carrier Grade NAT. Consider how you would safely block the bad guys, yet let the good guys still use the service. Which brings me to my favorite topic, 2FA for IMAP/SMTP Auth, as many of you know.. (we talk about CLIENTID often enough). It is a good thought exercise to look at this in the larger picture, rather than being a Tor problem, (albeit their are completely different abuse reporting options at a large CGN network), the problem is still the same, how to address safely separating the good from the bad in a world where IPv4 reputation is no longer viable alone. On 2020-02-21 10:38 a.m., Alessandro Vesely via mailop wrote: Hi, On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: The Spamtrap / HoneyPot in question not only listens to port 25 but also listens on port 465 (smtps) and 587 (submission). If an attacker is doing some dictionary attack on this to check for valid passwords (every authentication attempt is accepted) or attempts to relay spam mails (every relay attempt is answered with 200 OK) he is being blacklisted and an ARF reports is sent to the abuse contact of the submitting IP range. This is what causes those reports, not emails received on port 25. But I guess, just silently blacklisting Tor exist nodes and not sending a ARF report to the ISP could be an option to solve that issue. If you can detect Tor exit nodes, maybe you can fail authentication when it comes from those IPs. That may make sense if the Tor host is able to detect multiple authentication failures and somehow stop the user. What do they say? I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. Cooperation would increase the value of both your honeypots and their nodes. Best Ale -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Hi, On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: > > The Spamtrap / HoneyPot in question not only listens to port 25 but also > listens on port 465 (smtps) and 587 (submission). > > If an attacker is doing some dictionary attack on this to check for > valid passwords (every authentication attempt is accepted) or attempts > to relay spam mails (every relay attempt is answered with 200 OK) he > is being blacklisted and an ARF reports is sent to the abuse contact of > the submitting IP range. > > This is what causes those reports, not emails received on port 25. > > But I guess, just silently blacklisting Tor exist nodes and not sending > a ARF report to the ISP could be an option to solve that issue. If you can detect Tor exit nodes, maybe you can fail authentication when it comes from those IPs. That may make sense if the Tor host is able to detect multiple authentication failures and somehow stop the user. What do they say? I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. Cooperation would increase the value of both your honeypots and their nodes. Best Ale -- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Hi, On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: > > The Spamtrap / HoneyPot in question not only listens to port 25 but also > listens on port 465 (smtps) and 587 (submission). > > If an attacker is doing some dictionary attack on this to check for > valid passwords (every authentication attempt is accepted) or attempts > to relay spam mails (every relay attempt is answered with 200 OK) he > is being blacklisted and an ARF reports is sent to the abuse contact of > the submitting IP range. > > This is what causes those reports, not emails received on port 25. > > But I guess, just silently blacklisting Tor exist nodes and not sending > a ARF report to the ISP could be an option to solve that issue. If you can detect Tor exit nodes, maybe you can fail authentication when it comes from those IPs. That may make sense if the Tor host is able to detect multiple authentication failures and somehow stop the user. What do they say? I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. Cooperation would increase the value of both your honeypots and their nodes. Best Ale -- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Ideas for possible content for FAQ: "Best Practices for running a mail server"
- Have proper FCrDNS records. Just having MX and PTR records doesn't cut it. Add an A record that matches your PTR. M. Omer GOLGELI --- February 16, 2020 5:21 PM, "Hans-Martin Mosner via mailop" mailto:mailop@mailop.org?to=%22Hans-Martin%20Mosner%20via%20mailop%22%20)> wrote: Some ideas from running small to medium mail servers for a long time. Many of you will probably have more extensive experience and advice, but this is just a minimal list off the top of my head to get something for a start: * Don't hide behind anonymity. Mail server domain whois should have an identifiable registrant organization, there should be a point of contact for any technical and abuse problems related to the mail server. If your registry hides registrant data, it might be a good idea to have a web site with the same name that's not just showing a welcome message from an uninitialized CMS or hosting package. Mails sent to the abuse address must be read and acted upon, except for blatant spam of course. * Naturally, don't send spam, and have all your users understand that sending unsolicited bulk/commercial mail is not acceptable and will lead to termination. * Have proper DNS setup: * MX record for the domain pointing to the mail server. * PTR record for the mail server' IP address pointing to the mail server's name. * Stable IP address (not 5-minute TTL for dynamic DNS updates, no long-lasting outages) * Use TLS for both incoming and outgoing traffic whenever offered by the other side. * Use a separate submission port for authenticated and encrypted mail submissions from your users. Add authentication information in mail headers to make identifying hacked mail accounts possible. * If possible, restrict the use of foreign From: addresses to trusted users and automatic software. Don't let just anybody send mails from (mailto:presid...@whitehouse.gov)... * Avoid creating backscatter, i.e. either reject mails in the SMTP dialog or accept them. If you use spam detection software after SMTP acceptance, it should flag messages but still deliver them. There are cases such as autoresponders for vacations and mailing list software which will need to automatically send responses to sender addresses, but these should be monitored closely to detect abuse early. * (opinionated) Don' use SPF, it's broken by design. * Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop