[Dshield] Major Increase in Dictionary Attacks Against MTAs

JD lists at webcrunchers.com
Wed Dec 31 02:02:18 GMT 2003

On Dec 30, 2003, at 12:43 AM, Rick Klinge wrote:

>> Over the past 2 weeks we have observed a major increase in
>> dictionary attacks against our MTAs. Historically, we see an
>> average of a dictionary attack a day, usually occurring in a
>> burst of 3 or 4 in a single day, followed by 3 or 4 days with
>> no such attacks. Recently, we have been observing 2 to 4
>> attacks in an hour (all within a couple of minutes of each
>> other), then a few hours with no attacks -- averaging about
>> an attack every 2 hours or so.
>> These new attacks have an identical attack pattern, so we are
>> convinced that they most likely originate from a single
>> source, or (somewhat unlikely) are the result of new, widely
>> distributed spamware that has some rather interesting
>> characteristics to its attack pattern. We do not want to
>> reveal too much about what we know, but a few curious things
>> about the pattern include:
>> 	- all occur from hijacked systems (choice of ISPs seems
>> very limited)
>> 	- attacks against a single domain appear to be
>> coordinated across multiple systems
>> 	- naming patterns (~= choice of names) across different
>> domains appear identical
>> 	- RFC 2142 names have never been observed (usually,
>> these are the first hit)

I assume you are recording the IP addresses these are coming from?
How many different IP addresses are they coming from?

I used to be getting a shitload of them,  but ever since we put
our MTA behind a Crunchbox,   all of them are now blocked.
And WOW!   the performance has improved significantly.
IPS Systems RULE....

So,  every time A dict attach happens,  it's blocked.

>> 1) Has anyone else observed an increase in dictionary attacks
>> against their MTAs?

I used to,  but not anymore (grin)

>> 2) Has anyone captured any spam that has been delivered to an
>> attacked name?
>> 3) Has anyone had a system compromised by spamware that
>> appears to be specially written for performing dictionary
>> attacks? (Note: We are collecting spamware -- all samples
>> appreciated, but PLEASE do not post such samples to the group!)

Hmmm!   I might want to develop some new Snort rules for them.
If you manage to come up with "Signatures" or byte patters that
uniquely identify the presence of one of these spammer tools,
please let me know.   I'll make a snort rule for it,  and post it to the
list if anyone else is interested in detecting it's use.

>> 4) Does anyone have any sendmail (or similar) logs showing
>> such attacks they would be willing to share? (PLEASE do not
>> post such logs to the group!)

I might have some old ones kicking around...


More information about the list mailing list