A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it’s quick, painless (for him), and servers and IDS signatures don’t generally offer protection against them.
Could this be why everyone’s locking up their mail servers all of a sudden?
Does anyone know of a way to stop them?
Bob
Tis one of the reasons why I’ve disabled SMTP AUTH on all of my servers for now. I’ve known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don’t feel like taking a chance.
Exchage does a horrible job of logging, which is why they are probably being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use it).
A colleague informed me this morning that Alan Ralsky is doing
widespread bruteforce attacks on SMTP AUTH, and they are succeeding,
mainly because it's quick, painless (for him), and servers and IDS
signatures don't generally offer protection against them.Could this be why everyone's locking up their mail servers all of a
sudden?Does anyone know of a way to stop them?
Sure drive to the address provided with a cluebat, ask for Alan.
6747 Minnow Pond Drive
West Bloomfield, MI
Despite all the spam coming from China, they've siezed Alan's equipment and shot (I can't find coverage on this one in the American or European press) at least two indigenous spammers (I always happily note on spam LART's to China that I'll pay for the bullet and shipping for the shell casing to my door if invoiced).
Cant speak for others, but the server that was blocked for us by Yahoo! is ACL'd by IP address. It would be very helpful if the Yahoo! folk could post an official explanation as to what happened so we can pass it on to our customers. e.g. a URL somewhere on Yahoo! ?
---Mike
Bob German writes on 10/10/2003 8:29 PM:
A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a sudden?
Does anyone know of a way to stop them?
Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like -
/^Received:.*(\[|\(|\s)211\.158\.[3456789]\d\.\d/ REJECT Ralsky from
cqnet.com.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.[89]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[01]\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.70\.1[345]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)219\.153\.1[45]\d\.\d/ REJECT Ralsky from
cta.cq.cn. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
/^Received:.*(\[|\(|\s)218\.10\.57\.\d/ REJECT Ralsky from
cncgroup-hl. See: http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
srs (yes, this is a rather expensive set of checks)
Brian Bruns writes on 10/10/2003 8:42 PM:
Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now. I've known about this for a few weeks now. Its not surprising. Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance.
Exchange (and MDaemon) seem to be targeted extensively - they have admin:admin and guest:guest type default accounts that, if they aren't locked down, can be used to AUTH and send out mail.
He grabbed a couple of our customers' IMAIL servers, and I'm pretty sure
discovered a few weak passwords by brute force.
Bob
Just FYI, I am putting together another paper as we speak on how to secure your mail servers against this type of attack. Should be online by this afternoon at the latest.
Ok, this is where I need to ask for your guys help as well. If anyone here has experience with postfix or qmail, please let me know if you know ways of securing these mail servers from these kinds of attacks. I’m familiar with sendmail, exim, and exchange.
<snip>
Sendmail rulesets to block Ralsky:
KRalsky1 regex -a@SPAM ^.*(\[|\(|\s)211\.158\.[3456789]
KRalsky2 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[345]
KRalsky3 regex -a@SPAM ^.*(\[|\(|\s)219\.153\.1[45]
KRalsky4 regex -a@SPAM ^.*(\[|\(|\s)218\.10\.57
KRalsky5 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[01]
KRalsky6 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.[89]
KReceivedChecks sequence Ralsky1 Ralsky2 Ralsky3 Ralsky4 Ralsky5 Ralsky6
HReceived: $>check_header_Received
Scheck_header_Received
R$* $: $1 $| $(ReceivedChecks $&{currHeader} $)
R$* $| @SPAM $#error $@ 5.7.1 $: "550 Message rejected; suspected spam signature."
R$* $| $* $: $1
This will not help to block direct SMTP AUTH attacks; but they should block
mail from other compromised servers, provided they don't munge the headers.
I've been running these rules for several weeks without incident.
HTH,
Steve