Hi,
#Here is the kicker. I check where these are coming from, they
#are from all over the place. I check for IP address spoofing...
#not happening. No IP options or TCP options.
They go on the RBL - largely due to the existance of AS7777, in a manner similar to the way listings happen on the RSS. If we have spam via an open proxy and it tests open, it gets listed.
I've got some contract coding work (sh, perl, some C) related to this available if any of you folks in the Bay Area have some spare cycles. (We're also hiring full time for some other positions - feel free to ping me).
In addition to thousands of open relays, which are bad enough in
their own right, there are also thousands of open proxy servers
which a growing number of spammers have been using to launch spam
runs lately. I suspect that's what you're seeing.
Almost all SMTP dictionary-crack attacks are done through open proxies,
otherwise it's a "delivery attack" carrying actual spam. Some ISPs
seem to have problems understanding the concept that log evidence
showing 200 unknown users being probed is in-your-face evidence of
illegal trespass and accessing another host/network without authorization.
Indeed, the SMTP-cracking malware that Elcomsoft (Advanced Maillist
Verifier Pro) pumps out, specifically uses "rotating proxies" to
do its illegal work. Talk about a company not worth defending, even if
it's against the DMCA. Dimitry should find himself a more ethical
employer, even if Adobe was wrong on this to begin with.
If you aren't blocking traffic from open proxy servers via a dns
blacklist, I predict that you will definitely see increasingly
aggressive spam attacks coming in from diverse locations (although
the more you look at the problem, the easier it becomes to identify
the handful of carriers who are open proxy-tolerant).
If you don't use at least several DNSBL's, you are already DEAD from
dictionary attacks, I'd say. I have personally observed an attack against
a DS3-connected server from a single source IP, ratcheting through
2400 RCPT TO: checks in just 2-3 seconds. Yes, they are not trying to
hide very well, they are trying to crack through your mail server at
maximum speeds, with 10-25 probes per connection.
There is a demonstration patch for Sendmail to slow down the SMTP dialogue
(at the expense of keeping the process in memory too long, and long after
the attacking host disconnects) at
http://www.spamshield.org/sendmail8.9.0b5-rcpt-patch.txt
Do not use this in production, unless you really know what you are
doing and are tongue-in-cheek with Sendmail and its source: it has
several deficiencies that are obvious to a good observer (and tester)
and that may impede or render it useless to most.
I wonder if Eric ever reconsidered by suggestion (from 4-5 years ago) to
optionally drop processing arguments for a given SMTP dialogue if
the client host disconnects the TCP connection prematurely [while not
in "pipeline" mode, but the latter was not part of the argument].
This is very much Sendmail-specific, so you may ignore this.
[I will also say that it would really be great if mail-abuse.org would
add an open proxy listing project to complement their RSS, DUL, and
other initiatives.]
What we really want is a DNSBL that lists SMTP dictionary-crack attacks
in real-time. The overlap of the mechanics required for running this with
other DNSBL's are obvious: Unfortunately I could only spare some expertise,
but not a whole lot of time or expenses to set something like that up
(and merge it into an existing DNSBL such as Osirusoft's as far as
day-to-day ops is concerned). Without touting my horn, SS2.0 will succesfully
defend a given (OS)Sendmail (Un*x) against SMTP dictionary-cracking, distributed
or not, but other significant reasons are holding up its release right now,
in case you were going to ask.
bye,Kai
In addition to thousands of open relays, which are bad enough in
their own right, there are also thousands of open proxy servers
which a growing number of spammers have been using to launch spam
runs lately. I suspect that's what you're seeing.
I agree--that's a strong possibility.
This week, I released a tool to test open proxies.
<Telepathy - Powering Successful Brands;
[I will also say that it would really be great if mail-abuse.org would
add an open proxy listing project to complement their RSS, DUL, and
other initiatives.]
I believe RBL will list open proxies.
Another good resource is the Blitzed Open Proxy Monitor (BOPM)
<http://www.blitzed.org/bopm/>\.