[72363] in North American Network Operators' Group
Source of dictionary MTA attacks
daemon@ATHENA.MIT.EDU (Jon R. Kibler)
Thu Jul 8 14:46:45 2004
Date: Thu, 08 Jul 2004 14:47:00 -0400
From: "Jon R. Kibler" <Jon.Kibler@aset.com>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format...
------------=_1089312312-10746-340
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Greetings,
In the past 10 hours, we have had over 5,000 dictionary MTA attacks originate from IPs in the 67.234.73.0/24 netblock, which appear to be uu.net (MCI) dial access IPs in the Dallas-Ft. Worth area. We have notified MCI and blocked this netblock at the border.
Something interesting about this attack... the attacking software generates dictionary addresses in groups ranging from 16 to 29 addresses. We have seen an almost identical number of dictionary probes for each count of dictionary addresses (i.e., X occurrences of 16 addresses/connection, X occurrences of 17...).
Just a heads up... you may want to look out for these patterns.
Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC USA
(843) 849-8214
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
------------=_1089312312-10746-340--
