Date: Tue, 13 Apr 1999 09:41:51 +1000 From: Rob Secombe <robseco@wizard.teksupport.net.au> To: freebsd-isp@freebsd.org Subject: Re: Bad sapm problem Message-ID: <3.0.5.32.19990413094151.0372cb00@moat-gw.teksupport.net.au> In-Reply-To: <17768.923956290@noop.colo.erols.net> References: <Your message of "Tue, 13 Apr 1999 08:13:57 %2B1000." <199904122213.IAA90108@spooky.eis.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
At 18:31 12-04-99 -0400, you wrote: >Ernie Elu wrote in message ID ><199904122213.IAA90108@spooky.eis.net.au>: > >> Somehow they have gotten hold of our a complete list of users email >> addresses from 2 FreeBSD servers which don't have shell access, >> and ftp is restricted to your home directory. > >They don't > >Its called a dictionary attack. They get a (LOOONG) list of possible >usernames (normally culled from a list from many domains) and just >send mail to all of those users at your domain, whether they exist or >not. I bet if you check your mail logs, there will be tens of >thousands of `User unknown' messages. > >The other way they can do this is by doing the SMTP negotiation to >send a message, but not actually sending one. They can look at the >return code from their dictionary attack and build up a list of valid >usernames. I haven't seen that particular style of attack, but its >possible. I personally don't think that spamware writers know what >return codes are... > >(btw, its real ammusing watching a dictionary spammer try attacking > your SMTP server when you have it configured to backoff accepting > mail if they have invalid recipients :) ) Hi, We were subjected to one on these attacks last Friday. The source ip was spoofed but traced back through sprint. I placed a temporary block on port 25 for that ip at our border and it all went quiet. Rob. traceroute to 206.159.179.214 (206.159.179.214), 30 hops max, 40 byte packets 1 frontier (203.17.1.254) 2.721 ms 2.418 ms 2.359 ms 2 202.139.11.129 (202.139.11.129) 150.208 ms 111.390 ms 127.528 ms 3 s9-1.sb1.optus.net.au (192.65.90.237) 170.215 ms 140.389 ms 132.885 ms 4 atm91-6.ia1.optus.net.au (202.139.7.182) 155.804 ms 90.526 ms 121.962 ms 5 h21.la1.optus.net.au (202.139.7.129) 386.978 ms 389.526 ms 452.108 ms 6 906.Hssi8-0.GW1.LAX2.ALTER.NET (157.130.224.137) 504.959 ms 482.450 ms 522.598 ms 7 113.ATM3-0.XR2.LAX2.ALTER.NET (146.188.248.70) 516.747 ms 592.830 ms 707.760 ms 8 194.ATM1-0-0.BR1.LAX1.ALTER.NET (146.188.248.205) 611.024 ms 579.522 ms 113.ATM3-0.XR2.LAX2.ALTER.NET (146.188.248.7 0) 609.332 ms 9 sl-bb4-ana-1-0.sprintlink.net (144.232.8.181) 553.170 ms 194.ATM1-0-0.BR1.LAX1.ALTER.NET (146.188.248.205) 552.142 m s sl-bb4-ana-1-0.sprintlink.net (144.232.8.181) 614.616 ms 10 sl-bb21-ana-3-2.sprintlink.net (144.232.1.25) 651.180 ms 670.170 ms sl-bb4-ana-1-0.sprintlink.net (144.232.8.181) 6 22.736 ms 11 sl-gw12-ana-0-0-0.sprintlink.net (144.232.1.66) 532.764 ms 601.329 ms 517.142 ms 12 sl-gw12-ana-0-0-0.sprintlink.net (144.232.1.66) 585.644 ms sl-smat-5-0-0-15M.sprintlink.net (144.228.207.202) 568.60 0 ms sl-gw12-ana-0-0-0.sprintlink.net (144.232.1.66) 528.372 ms 13 208.2.168.50 (208.2.168.50) 726.725 ms 663.436 ms 510.540 ms 14 206.159.179.214 (206.159.179.214) 662.208 ms 710.919 ms 208.2.168.50 (208.2.168.50) 624.427 ms To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19990413094151.0372cb00>