[Dshield] Major Increase in Dictionary Attacks Against MTAs

Jon R. Kibler Jon.Kibler at aset.com
Mon Dec 29 17:17:25 GMT 2003


Greetings:

Over the past 2 weeks we have observed a major increase in dictionary attacks against our MTAs. Historically, we see an average of a dictionary attack a day, usually occurring in a burst of 3 or 4 in a single day, followed by 3 or 4 days with no such attacks. Recently, we have been observing 2 to 4 attacks in an hour (all within a couple of minutes of each other), then a few hours with no attacks -- averaging about an attack every 2 hours or so.

These new attacks have an identical attack pattern, so we are convinced that they most likely originate from a single source, or (somewhat unlikely) are the result of new, widely distributed spamware that has some rather interesting characteristics to its attack pattern. We do not want to reveal too much about what we know, but a few curious things about the pattern include:
	- all occur from hijacked systems (choice of ISPs seems very limited)
	- attacks against a single domain appear to be coordinated across multiple systems 
	- naming patterns (~= choice of names) across different domains appear identical
	- RFC 2142 names have never been observed (usually, these are the first hit)

We are in the process of trying to collect more information about these attacks and are trying to trace their ultimate source. However, we are hoping that members of this list may be able to contribute to our knowledge base, so we have some specific questions:

1) Has anyone else observed an increase in dictionary attacks against their MTAs?
2) Has anyone captured any spam that has been delivered to an attacked name?
3) Has anyone had a system compromised by spamware that appears to be specially written for performing dictionary attacks? (Note: We are collecting spamware -- all samples appreciated, but PLEASE do not post such samples to the group!)
4) Does anyone have any sendmail (or similar) logs showing such attacks they would be willing to share? (PLEASE do not post such logs to the group!)

Anything else anyone has that may be a useful contribution would be GREATLY appreciated!

--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list