[63802] in North American Network Operators' Group
Re: New mail blocks result of Ralsky's latest attacks?
daemon@ATHENA.MIT.EDU (Brian Bruns)
Fri Oct 10 11:13:40 2003
From: "Brian Bruns" <bruns@2mbit.com>
To: "Bob German" <bobgerman@irides.com>, <nanog@merit.edu>
Date: Fri, 10 Oct 2003 11:12:31 -0400
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_0071_01C38F1F.66395F60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MessageTis one of the reasons why I've disabled SMTP AUTH on all of my =
servers for now. I've known about this for a few weeks now. Its not =
surprising. Most of the servers cracked are Exchange servers (probably =
thanks to weak passwords), but I still don't feel like taking a chance.
Exchage does a horrible job of logging, which is why they are probably =
being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) =
log failed attempts in the maillog or via PAM (if they use it).
--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
----- Original Message -----=20
From: Bob German=20
To: nanog@merit.edu=20
Sent: Friday, October 10, 2003 10:59 AM
Subject: New mail blocks result of Ralsky's latest attacks?
A colleague informed me this morning that Alan Ralsky is doing =
widespread bruteforce attacks on SMTP AUTH, and they are succeeding, =
mainly because it's quick, painless (for him), and servers and IDS =
signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a =
sudden?
Does anyone know of a way to stop them?
Bob
------=_NextPart_000_0071_01C38F1F.66395F60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Tis one of the reasons why I've =
disabled SMTP AUTH=20
on all of my servers for now. I've known about this for a few =
weeks=20
now. Its not surprising. Most of the servers cracked are =
Exchange=20
servers (probably thanks to weak passwords), but I still don't feel like =
taking=20
a chance.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Exchage does a horrible job of logging, =
which is=20
why they are probably being targeted. Most real SMTP servers =
(sendmail,=20
exim, postfix, qmail) log failed attempts in the maillog or via PAM (if =
they use=20
it).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>--------------------------<BR>Brian Bruns<BR>The Summit Open Source =
Development Group<BR>Open Solutions For A Closed World / Anti-Spam=20
Resources<BR><A =
href=3D"http://www.2mbit.com">http://www.2mbit.com</A><BR>ICQ:=20
8077511</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbobgerman@irides.com =
href=3D"mailto:bobgerman@irides.com">Bob=20
German</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dnanog@merit.edu=20
href=3D"mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, October 10, 2003 =
10:59=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> New mail blocks result =
of=20
Ralsky's latest attacks?</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial size=3D2>A =
colleague=20
informed me this morning that Alan Ralsky is doing widespread =
bruteforce=20
attacks on SMTP AUTH, and they are succeeding, mainly because it's =
quick,=20
painless (for him), and servers and IDS signatures don't generally =
offer=20
protection against them.</FONT></SPAN></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial =
size=3D2>Could this be why=20
everyone's locking up their mail servers all of a =
sudden?</FONT></SPAN></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial size=3D2>Does =
anyone know=20
of a way to stop them?</FONT></SPAN></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV align=3Dleft>
<DIV align=3Dleft><SPAN class=3D753150415-27022003><FONT face=3DArial=20
size=3D2>Bob</FONT></SPAN></DIV></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0071_01C38F1F.66395F60--
