[Dshield] Major Increase in Dictionary Attacks Against MTAs

Rick Klinge rick at jaray.net
Tue Dec 30 08:43:37 GMT 2003


You might try len's "IMGate" email list http://imgate.meiway.com/ they are
strong in this arena.


> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of Jon R. Kibler
> Sent: Monday, December 29, 2003 11:17 AM
> To: list at dshield.org
> Subject: [Dshield] Major Increase in Dictionary Attacks Against MTAs
> Greetings:
> Over the past 2 weeks we have observed a major increase in 
> dictionary attacks against our MTAs. Historically, we see an 
> average of a dictionary attack a day, usually occurring in a 
> burst of 3 or 4 in a single day, followed by 3 or 4 days with 
> no such attacks. Recently, we have been observing 2 to 4 
> attacks in an hour (all within a couple of minutes of each 
> other), then a few hours with no attacks -- averaging about 
> an attack every 2 hours or so.
> These new attacks have an identical attack pattern, so we are 
> convinced that they most likely originate from a single 
> source, or (somewhat unlikely) are the result of new, widely 
> distributed spamware that has some rather interesting 
> characteristics to its attack pattern. We do not want to 
> reveal too much about what we know, but a few curious things 
> about the pattern include:
> 	- all occur from hijacked systems (choice of ISPs seems 
> very limited)
> 	- attacks against a single domain appear to be 
> coordinated across multiple systems 
> 	- naming patterns (~= choice of names) across different 
> domains appear identical
> 	- RFC 2142 names have never been observed (usually, 
> these are the first hit)
> We are in the process of trying to collect more information 
> about these attacks and are trying to trace their ultimate 
> source. However, we are hoping that members of this list may 
> be able to contribute to our knowledge base, so we have some 
> specific questions:
> 1) Has anyone else observed an increase in dictionary attacks 
> against their MTAs?
> 2) Has anyone captured any spam that has been delivered to an 
> attacked name?
> 3) Has anyone had a system compromised by spamware that 
> appears to be specially written for performing dictionary 
> attacks? (Note: We are collecting spamware -- all samples 
> appreciated, but PLEASE do not post such samples to the group!)
> 4) Does anyone have any sendmail (or similar) logs showing 
> such attacks they would be willing to share? (PLEASE do not 
> post such logs to the group!)
> Anything else anyone has that may be a useful contribution 
> would be GREATLY appreciated!
> --
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service 
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.

Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

More information about the list mailing list