[Dshield] Major Increase in Dictionary Attacks Against MTAs

Tony Nichols tony at mail.applog.com
Wed Dec 31 14:22:27 GMT 2003

I have sendmail also .... Never use to see these but now I've seen 3 in the
last few weeks.
I've used the throttle setting to stop the larger ones ... The offending ip
address is recorded; but when I notify the owner I get a failed to deliver
message. So I've been adding their ip block to my shorewall blacklist.
If you'd like I can try and dig up the logs..... But I think I just kept the
LogWatch part - it has the attempted names and the ip address that initiated

Just drop me a line off list.

A.G. (Tony) Nichols
I.S. Manager
Appalachian Log Structures Inc.
tony at mail.applog.com 
888-999-2574 x124

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Sent: Tuesday, December 30, 2003 9:02 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Major Increase in Dictionary Attacks Against MTAs

On Dec 30, 2003, at 12:43 AM, Rick Klinge wrote:

>> Over the past 2 weeks we have observed a major increase in dictionary 
>> attacks against our MTAs. Historically, we see an average of a 
>> dictionary attack a day, usually occurring in a burst of 3 or 4 in a 
>> single day, followed by 3 or 4 days with no such attacks. Recently, 
>> we have been observing 2 to 4 attacks in an hour (all within a couple 
>> of minutes of each other), then a few hours with no attacks -- 
>> averaging about an attack every 2 hours or so.
>> These new attacks have an identical attack pattern, so we are 
>> convinced that they most likely originate from a single source, or 
>> (somewhat unlikely) are the result of new, widely distributed 
>> spamware that has some rather interesting characteristics to its 
>> attack pattern. We do not want to reveal too much about what we know, 
>> but a few curious things about the pattern include:
>> 	- all occur from hijacked systems (choice of ISPs seems
>> very limited)
>> 	- attacks against a single domain appear to be
>> coordinated across multiple systems
>> 	- naming patterns (~= choice of names) across different
>> domains appear identical
>> 	- RFC 2142 names have never been observed (usually,
>> these are the first hit)

I assume you are recording the IP addresses these are coming from? How many
different IP addresses are they coming from?

I used to be getting a shitload of them,  but ever since we put
our MTA behind a Crunchbox,   all of them are now blocked.
And WOW!   the performance has improved significantly.
IPS Systems RULE....

So,  every time A dict attach happens,  it's blocked.

>> 1) Has anyone else observed an increase in dictionary attacks against 
>> their MTAs?

I used to,  but not anymore (grin)

>> 2) Has anyone captured any spam that has been delivered to an 
>> attacked name?
>> 3) Has anyone had a system compromised by spamware that appears to be 
>> specially written for performing dictionary attacks? (Note: We are 
>> collecting spamware -- all samples appreciated, but PLEASE do not 
>> post such samples to the group!)

Hmmm!   I might want to develop some new Snort rules for them.
If you manage to come up with "Signatures" or byte patters that uniquely
identify the presence of one of these spammer tools,
please let me know.   I'll make a snort rule for it,  and post it to the
list if anyone else is interested in detecting it's use.

>> 4) Does anyone have any sendmail (or similar) logs showing such 
>> attacks they would be willing to share? (PLEASE do not post such logs 
>> to the group!)

I might have some old ones kicking around...


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list