[63809] in North American Network Operators' Group
Re: New mail blocks result of Ralsky's latest attacks?
daemon@ATHENA.MIT.EDU (Brian Bruns)
Fri Oct 10 11:47:34 2003
From: "Brian Bruns" <bruns@2mbit.com>
To: <nanog@merit.edu>
Date: Fri, 10 Oct 2003 11:38:30 -0400
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_00A6_01C38F23.076E43C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MessageJust FYI, I am putting together another paper as we speak on how =
to secure your mail servers against this type of attack. Should be =
online by this afternoon at the latest.
Ok, this is where I need to ask for your guys help as well. If anyone =
here has experience with postfix or qmail, please let me know if you =
know ways of securing these mail servers from these kinds of attacks. =
I'm familiar with sendmail, exim, and exchange.
--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
----- Original Message -----=20
From: Brian Bruns=20
To: Bob German ; nanog@merit.edu=20
Sent: Friday, October 10, 2003 11:12 AM
Subject: Re: New mail blocks result of Ralsky's latest attacks?
Tis one of the reasons why I've disabled SMTP AUTH on all of my =
servers for now. I've known about this for a few weeks now. Its not =
surprising. Most of the servers cracked are Exchange servers (probably =
thanks to weak passwords), but I still don't feel like taking a chance.
Exchage does a horrible job of logging, which is why they are probably =
being targeted. Most real SMTP servers (sendmail, exim, postfix, qmail) =
log failed attempts in the maillog or via PAM (if they use it).
--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
----- Original Message -----=20
From: Bob German=20
To: nanog@merit.edu=20
Sent: Friday, October 10, 2003 10:59 AM
Subject: New mail blocks result of Ralsky's latest attacks?
A colleague informed me this morning that Alan Ralsky is doing =
widespread bruteforce attacks on SMTP AUTH, and they are succeeding, =
mainly because it's quick, painless (for him), and servers and IDS =
signatures don't generally offer protection against them.
Could this be why everyone's locking up their mail servers all of a =
sudden?
Does anyone know of a way to stop them?
Bob
------=_NextPart_000_00A6_01C38F23.076E43C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Just FYI, I am putting together another =
paper as we=20
speak on how to secure your mail servers against this type of =
attack. =20
Should be online by this afternoon at the latest.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Ok, this is where I need to ask for =
your guys help=20
as well. If anyone here has experience with postfix or qmail, =
please let=20
me know if you know ways of securing these mail servers from these kinds =
of=20
attacks. I'm familiar with sendmail, exim, and =
exchange.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>--------------------------<BR>Brian Bruns<BR>The Summit Open Source =
Development Group<BR>Open Solutions For A Closed World / Anti-Spam=20
Resources<BR><A =
href=3D"http://www.2mbit.com">http://www.2mbit.com</A><BR>ICQ:=20
8077511</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbruns@2mbit.com href=3D"mailto:bruns@2mbit.com">Brian =
Bruns</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dbobgerman@irides.com=20
href=3D"mailto:bobgerman@irides.com">Bob German</A> ; <A =
title=3Dnanog@merit.edu=20
href=3D"mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, October 10, 2003 =
11:12=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: New mail blocks =
result of=20
Ralsky's latest attacks?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Tis one of the reasons why I've =
disabled SMTP=20
AUTH on all of my servers for now. I've known about this for a =
few weeks=20
now. Its not surprising. Most of the servers cracked are =
Exchange=20
servers (probably thanks to weak passwords), but I still don't feel =
like=20
taking a chance.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Exchage does a horrible job of =
logging, which is=20
why they are probably being targeted. Most real SMTP servers =
(sendmail,=20
exim, postfix, qmail) log failed attempts in the maillog or via PAM =
(if they=20
use it).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>--------------------------<BR>Brian Bruns<BR>The Summit Open =
Source=20
Development Group<BR>Open Solutions For A Closed World / Anti-Spam=20
Resources<BR><A =
href=3D"http://www.2mbit.com">http://www.2mbit.com</A><BR>ICQ:=20
8077511</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbobgerman@irides.com =
href=3D"mailto:bobgerman@irides.com">Bob=20
German</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dnanog@merit.edu=20
href=3D"mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, October 10, =
2003 10:59=20
AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> New mail blocks =
result of=20
Ralsky's latest attacks?</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial size=3D2>A =
colleague=20
informed me this morning that Alan Ralsky is doing widespread =
bruteforce=20
attacks on SMTP AUTH, and they are succeeding, mainly because it's =
quick,=20
painless (for him), and servers and IDS signatures don't generally =
offer=20
protection against them.</FONT></SPAN></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial =
size=3D2>Could this be=20
why everyone's locking up their mail servers all of a=20
sudden?</FONT></SPAN></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial =
size=3D2>Does anyone know=20
of a way to stop them?</FONT></SPAN></DIV>
<DIV><SPAN class=3D293065714-10102003><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV align=3Dleft>
<DIV align=3Dleft><SPAN class=3D753150415-27022003><FONT =
face=3DArial=20
=
size=3D2>Bob</FONT></SPAN></DIV></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></=
HTML>
------=_NextPart_000_00A6_01C38F23.076E43C0--
