Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Qmail>
  3. users
POP3 dictionary attacks -- change of bot strategy
feh at fehcom
Feb 4, 2012, 4:51 AM
Post #1 of 4 (2370 views)
Permalink
Hi everybody,


since roughly December 13th last year I see a significant change in the bots activities:

a) Greetdelay'ing the SMTP sessions -- working great for years -- is almost useless now.

b) In parallel with this change, I observe significant lexical/dictionary attacks against my POP3 service (POP3S not yet):

Yesterday:

2012-02-03 20:17:45.319228500 qmail-popup: pid 10225 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utility'
2012-02-03 20:17:46.662410500 qmail-popup: pid 10228 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'utpal'
2012-02-03 20:17:48.001400500 qmail-popup: pid 10231 Reject::AUTH::User: P:POP3U S:202.165.183.164:unknown ?= 'uucp'
2012-02-03 21:35:32.417104500 qmail-popup: pid 11081 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'david@217'
2012-02-03 21:35:34.678555500 qmail-popup: pid 11086 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'dave@217'
2012-02-03 21:35:36.939112500 qmail-popup: pid 11091 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'mike@217'
2012-02-03 21:35:39.196582500 qmail-popup: pid 11108 Reject::AUTH::User: P:POP3U S:120.65.9.164:unknown ?= 'tony@217'


Today:

qmail-popup: pid 17593 Reject::AUTH::User: P:POP3U S:81.169.140.224:h1989281.stratoserver.net ?= 'client'


.... resulting in a few thousand lookups every day.


Thus, within my forthcoming Spamcontrol 2.7 I've included to log the POP3 username within qmail-popup.

Further, I will make a patch available against UCSPI-TCP enabling CIDR notation in the tcprules database.

regards.
--eh.

PS: Anybody who is interested should contact me for a beta version of both.



--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
Re: POP3 dictionary attacks -- change of bot strategy [ In reply to ]
amb-sendok-1330969515.ikccblnilpbmefldcdfc at bradfo
Feb 4, 2012, 9:45 AM
Post #2 of 4 (2269 views)
Permalink
Thus said Erwin Hoffmann on Sat, 04 Feb 2012 13:51:02 +0100:

> a) Greetdelay'ing the SMTP sessions -- working great for years -- is
> almost useless now.

What makes you think it is worthless now? From my observation, it still
seems relevant:

$ grep 'tcpserver: pid .* from .*' current | wc -l
5520
$ grep -c greetdelay current
1314
$ echo '2k 1314 5520 /p' | dc
.23

23% is not shabby in my opinion. It's possible that the bots hitting
your servers have different behavior?

Andy
Re: POP3 dictionary attacks -- change of bot strategy [ In reply to ]
feh at fehcom
Feb 4, 2012, 10:26 AM
Post #3 of 4 (2298 views)
Permalink
Hi Andy


Am 04.02.2012 um 18:45 schrieb Andy Bradford:

> Thus said Erwin Hoffmann on Sat, 04 Feb 2012 13:51:02 +0100:
>
>> a) Greetdelay'ing the SMTP sessions -- working great for years -- is
>> almost useless now.
>
> What makes you think it is worthless now? From my observation, it still
> seems relevant:
>

Yupp. There seems to be clear dependence on the bots.

If you check my original numbers I evaluated introducing the greetdelay into qmail, these numbers were much higher than.

There was a typo in my first mail: The magic day was not December 13th, but rather December 3rd.

Some bot nets were uncovered during this period (http://nakedsecurity.sophos.com/koobface/).


> $ grep 'tcpserver: pid .* from .*' current | wc -l
> 5520
> $ grep -c greetdelay current
> 1314
> $ echo '2k 1314 5520 /p' | dc
> .23
>
> 23% is not shabby in my opinion. It's possible that the bots hitting
> your servers have different behavior?
>

I need to add, that I use the DNS 'paranoid' verification in sslserver and rejecting session which don't have a PTR and A RR.

But again: These numbers (and the efficiency of any anti-spam policies) depend on the exposure of spam --which varies significantly among countries and sites.

regards.
--eh.


> Andy
>

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
Re: POP3 dictionary attacks -- change of bot strategy [ In reply to ]
amb-sendok-1330973673.ddmkpnmicemnekogopnk at bradfo
Feb 4, 2012, 10:54 AM
Post #4 of 4 (2269 views)
Permalink
Hello Erwin,

Thus said Erwin Hoffmann on Sat, 04 Feb 2012 19:26:37 +0100:

> I need to add, that I use the DNS 'paranoid' verification in sslserver
> and rejecting session which don't have a PTR and A RR.

I should also add that similar measures are in place on my end which
would skew the greetdelay numbers. A significant number of connections
have already been eliminated from the total through greylisting (and
blacklisting). I'm not sure what percentage of those would be caught by
it.

Also, I don't reject outright, systems with bad DNS, however, they are
penalized. Here is what I have in tcprules:

=:allow,RECORDIO="YES",GREETDELAY="X",DROPPREGREET="1",VALIDATE="YES"
:allow,RECORDIO="YES",GREETDELAY="X*3",DROPPREGREET="1",VALIDATE="YES"

Where X is the base delay that I want to introduce.

Thanks for the response.

Andy

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal