Ted Lemon <[email protected]> writes: > Thursday, Dec 3, 2015 9:00 PM Chris Lewis wrote:
>> If you have a list of IPs known to be infected with AUTH-cracking >> spambots, it's of immediate/valuable use to both the MSAs themselves in >> detecting malicious injects, as well as the recipient's filtering, and >> header forgery is not an issue (certainly not to MSAs, and headers that >> forge collisions with the list you don't want anyway). > Can you unpack "AUTH-cracking spambots" for the greenhorns? I have no > idea what this means, and google unfortunately was unable to help. Standard practice for attackers these days is to automate attacks on any sort of password-protected system, whether that be web pages, authentication providers, or anything else that takes a password. Usually this is done by taking some list of common passwords and some list of account names and just brute-forcing combinations, although some attackers do more sophisticated things. Obviously, that sort of brute force approach is easy to detect and throttle, so the next step in the arms race was for attackers to use large networks of compromised machines, usually home machines behind DSL and cable modem links, each of which tries a small number of passwords against a variety of targets to stay below the radar. Those machines were generally compromised via malware of some kind and are part of a botnet, without the knowledge of the user of the machine. This is used against SMTP AUTH just like it is against anything else on the Internet that takes a password. The usual goal is to send out spam using other people's valid credentials to bypass spam filtering, or to send phishing or stock pump and dump schemes, or what have you. One useful tool in fighting this sort of attack is to be able to collect and share information about currently compromised client IP addresses so that you can detect them as being part of a bot net and use much more aggressive rate limiting on these sorts of attempts, or block any email that they successfully sent after cracking someone's SMTP AUTH password. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
