[Dshield] Major Increase in Dictionary Attacks Against MTAs
rick at jaray.net
Tue Dec 30 08:43:37 GMT 2003
You might try len's "IMGate" email list http://imgate.meiway.com/ they are
strong in this arena.
> -----Original Message-----
> From: list-bounces at dshield.org
> [mailto:list-bounces at dshield.org] On Behalf Of Jon R. Kibler
> Sent: Monday, December 29, 2003 11:17 AM
> To: list at dshield.org
> Subject: [Dshield] Major Increase in Dictionary Attacks Against MTAs
> Over the past 2 weeks we have observed a major increase in
> dictionary attacks against our MTAs. Historically, we see an
> average of a dictionary attack a day, usually occurring in a
> burst of 3 or 4 in a single day, followed by 3 or 4 days with
> no such attacks. Recently, we have been observing 2 to 4
> attacks in an hour (all within a couple of minutes of each
> other), then a few hours with no attacks -- averaging about
> an attack every 2 hours or so.
> These new attacks have an identical attack pattern, so we are
> convinced that they most likely originate from a single
> source, or (somewhat unlikely) are the result of new, widely
> distributed spamware that has some rather interesting
> characteristics to its attack pattern. We do not want to
> reveal too much about what we know, but a few curious things
> about the pattern include:
> - all occur from hijacked systems (choice of ISPs seems
> very limited)
> - attacks against a single domain appear to be
> coordinated across multiple systems
> - naming patterns (~= choice of names) across different
> domains appear identical
> - RFC 2142 names have never been observed (usually,
> these are the first hit)
> We are in the process of trying to collect more information
> about these attacks and are trying to trace their ultimate
> source. However, we are hoping that members of this list may
> be able to contribute to our knowledge base, so we have some
> specific questions:
> 1) Has anyone else observed an increase in dictionary attacks
> against their MTAs?
> 2) Has anyone captured any spam that has been delivered to an
> attacked name?
> 3) Has anyone had a system compromised by spamware that
> appears to be specially written for performing dictionary
> attacks? (Note: We are collecting spamware -- all samples
> appreciated, but PLEASE do not post such samples to the group!)
> 4) Does anyone have any sendmail (or similar) logs showing
> such attacks they would be willing to share? (PLEASE do not
> post such logs to the group!)
> Anything else anyone has that may be a useful contribution
> would be GREATLY appreciated!
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC USA
> (843) 849-8214
> Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
More information about the list