[31938] in North American Network Operators' Group
SMTP abuse (Re: The FBI tripping over itself again)
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Tue Oct 31 15:20:16 2000
Message-ID: <018701c04377$95cb1ee0$1cd8a8ce@rockynet.com>
From: "Mike Lewinski" <mike@rockynet.com>
To: <nanog@merit.edu>
Date: Tue, 31 Oct 2000 13:17:25 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
> Networks under my control (and more so some I've been called in
> to assist) are currently under attack by SMTP dictionary-attackers,
> which seems to be reincarnations of the ghosts of GeolistPro.
> [ scumbags that are trying to deliver spam, and/or are trying to
> learn every possible email address in a given domain, to the
> tune of up to 550,000 per attack (there's obviously a lot of
> usernames@ scraped from existing spam-lists).
It's my belief that some (or all) of this activity is currently instigated
by EarthOnline Software, makers of GeoList Pro.
This URL is the basis for my suspicions:
http://www.earthonline-software.com/targeted-a.html
GeoList's "feature" was that it collected regionally targeted lists of
e-mail addresses. How can one do that? The only two ways I can think of are
dictionary attacks against ISP web servers ( GET /~aaaa) or dictionary
attacks against ISP's SMTP servers (RCPT TO: <aaaaa>). The former method
would be much less successful, since not all customers will have their own
web directories, and not all providers will use the /~ syntax either.
Mike
P.S. The SMTP abuse listserv is still here:
http://www.kopower.com/mailman/listinfo/smtpabuse
