Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Qmail: users

POP3 dictionary attacks -- change of bot strategy

  

 
Qmail users RSS feed   Index | Next | Previous | View Threaded


feh at fehcom

Feb 4, 2012, 4:51 AM

Post #1 of 4 (646 views)
Permalink
POP3 dictionary attacks -- change of bot strategy
Hi everybody,


since roughly December 13th last year I see a significant change in the bots activities:

a) Greetdelay'ing the SMTP sessions -- working great for years -- is almost useless now.

b) In parallel with this change, I observe significant lexical/dictionary attacks against my POP3 service (POP3S not yet):

Yesterday:

2012-02-03 20:17:45.319228500 qmail-popup: pid 10225 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utility'
2012-02-03 20:17:46.662410500 qmail-popup: pid 10228 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utpal'
2012-02-03 20:17:48.001400500 qmail-popup: pid 10231 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'uucp'
2012-02-03 21:35:32.417104500 qmail-popup: pid 11081 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'david [at] 21'
2012-02-03 21:35:34.678555500 qmail-popup: pid 11086 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'dave [at] 21'
2012-02-03 21:35:36.939112500 qmail-popup: pid 11091 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'mike [at] 21'
2012-02-03 21:35:39.196582500 qmail-popup: pid 11108 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'tony [at] 21'


Today:

qmail-popup: pid 17593 Reject::AUTH::User: P:POP3U S:81.169.140.224:h1989281.stratoserver.net ?= 'client'


.... resulting in a few thousand lookups every day.


Thus, within my forthcoming Spamcontrol 2.7 I've included to log the POP3 username within qmail-popup.

Further, I will make a patch available against UCSPI-TCP enabling CIDR notation in the tcprules database.

regards.
--eh.

PS: Anybody who is interested should contact me for a beta version of both.



--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE


amb-sendok-1330969515.ikccblnilpbmefldcdfc at bradfo

Feb 4, 2012, 9:45 AM

Post #2 of 4 (602 views)
Permalink
Re: POP3 dictionary attacks -- change of bot strategy [In reply to]
Thus said Erwin Hoffmann on Sat, 04 Feb 2012 13:51:02 +0100:

> a) Greetdelay'ing the SMTP sessions -- working great for years -- is
> almost useless now.

What makes you think it is worthless now? From my observation, it still
seems relevant:

$ grep 'tcpserver: pid .* from .*' current | wc -l
5520
$ grep -c greetdelay current
1314
$ echo '2k 1314 5520 /p' | dc
.23

23% is not shabby in my opinion. It's possible that the bots hitting
your servers have different behavior?

Andy


feh at fehcom

Feb 4, 2012, 10:26 AM

Post #3 of 4 (613 views)
Permalink
Re: POP3 dictionary attacks -- change of bot strategy [In reply to]
Hi Andy


Am 04.02.2012 um 18:45 schrieb Andy Bradford:

> Thus said Erwin Hoffmann on Sat, 04 Feb 2012 13:51:02 +0100:
>
>> a) Greetdelay'ing the SMTP sessions -- working great for years -- is
>> almost useless now.
>
> What makes you think it is worthless now? From my observation, it still
> seems relevant:
>

Yupp. There seems to be clear dependence on the bots.

If you check my original numbers I evaluated introducing the greetdelay into qmail, these numbers were much higher than.

There was a typo in my first mail: The magic day was not December 13th, but rather December 3rd.

Some bot nets were uncovered during this period (http://nakedsecurity.sophos.com/koobface/).


> $ grep 'tcpserver: pid .* from .*' current | wc -l
> 5520
> $ grep -c greetdelay current
> 1314
> $ echo '2k 1314 5520 /p' | dc
> .23
>
> 23% is not shabby in my opinion. It's possible that the bots hitting
> your servers have different behavior?
>

I need to add, that I use the DNS 'paranoid' verification in sslserver and rejecting session which don't have a PTR and A RR.

But again: These numbers (and the efficiency of any anti-spam policies) depend on the exposure of spam --which varies significantly among countries and sites.

regards.
--eh.


> Andy
>

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE


amb-sendok-1330973673.ddmkpnmicemnekogopnk at bradfo

Feb 4, 2012, 10:54 AM

Post #4 of 4 (602 views)
Permalink
Re: POP3 dictionary attacks -- change of bot strategy [In reply to]
Hello Erwin,

Thus said Erwin Hoffmann on Sat, 04 Feb 2012 19:26:37 +0100:

> I need to add, that I use the DNS 'paranoid' verification in sslserver
> and rejecting session which don't have a PTR and A RR.

I should also add that similar measures are in place on my end which
would skew the greetdelay numbers. A significant number of connections
have already been eliminated from the total through greylisting (and
blacklisting). I'm not sure what percentage of those would be caught by
it.

Also, I don't reject outright, systems with bad DNS, however, they are
penalized. Here is what I have in tcprules:

=:allow,RECORDIO="YES",GREETDELAY="X",DROPPREGREET="1",VALIDATE="YES"
:allow,RECORDIO="YES",GREETDELAY="X*3",DROPPREGREET="1",VALIDATE="YES"

Where X is the base delay that I want to introduce.

Thanks for the response.

Andy

Qmail users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.