You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Pierre Thomson <Pi...@bruderhof.com> on 2004/10/26 17:18:06 UTC
slightly OT: sudden rise in Rumplestiltskin attacks?
One of our relays got 8500 name-guessing spams yesterday, up from an average of 2500 per day last week. So far today we have seen 6600, and the day isn't half over. If our MTA weren't checking recipients against our userlist, SA would be struggling to process these sudden "blasts" of spam.
The sending relays seem to be predominantly in Europe, and often make about a dozen tries in rapid succession. Here are the relays that sent name-guessing spams in a 2-minute period in the last hour:
dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
wjfyxcqb@dial-62-64-219-183.access.uk.tiscali.com [62.64.219.183]
omr-m01.mx.aol.com [64.12.138.1]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
m96.net81-65-0.noos.fr [81.65.0.96]
xfcfzarq@[218.237.123.22]
mailout08.sul.t-online.com [194.25.134.20]
omr-m03.mx.aol.com [64.12.138.3]
rega.bezeqint.net [192.115.104.10]
seaattsmtp.avanade.com [12.129.10.40]
mailout04.sul.t-online.com [194.25.134.18]
mail.f-tech.net [65.161.2.16]
[219.128.36.245]
[219.128.36.245]
[210.206.241.100]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
fnfduse@user-206-234.kanetti.fi [82.103.206.234]
rh9150195.aspadmin.net [216.98.150.195]
mailout09.sul.t-online.com [194.25.134.84]
[219.128.36.245]
[219.128.36.245]
[219.128.36.245]
[219.128.36.245]
omr-m13.mx.aol.com [64.12.136.11]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
Are others seeing this? Any plausible explanation?
Pierre Thomson
BIC
Re: slightly OT: sudden rise in Rumplestiltskin attacks?
Posted by Simon Byrnand <si...@igrin.co.nz>.
At 04:18 27/10/2004, Pierre Thomson wrote:
>One of our relays got 8500 name-guessing spams yesterday, up from an
>average of 2500 per day last week. So far today we have seen 6600, and
>the day isn't half over. If our MTA weren't checking recipients against
>our userlist, SA would be struggling to process these sudden "blasts" of spam.
>
>The sending relays seem to be predominantly in Europe, and often make
>about a dozen tries in rapid succession. Here are the relays that sent
>name-guessing spams in a 2-minute period in the last hour:
I saw the same thing a few days ago too. We get dictionary attacks almost
continuously but usually in quite low volume, as I have bad RCPT throttle
in place on sendmail, however one afternoon a few days ago we had well over
200 seperate IP addresses (presumably zombied machines) doing dictionary
scans on us SIMULTANEOUSLY. As far as I am concerned this is a DDoS attack.
So even though sendmail was rate limiting SMTP RCPT commands to one per
second, because there were over 200 simultaneous connections, there were
over 200 non-existant addresses being checked per second :(
I actually had to increase the maximum simultaneous incomming connection
limit as the dictionary scanning attack was consuming all incomming slots,
preventing legitimate incomming connections...
Regards,
Simon
Re[2]: slightly OT: sudden rise in Rumplestiltskin attacks?
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Christopher,
Tuesday, October 26, 2004, 9:25:18 AM, Christopher X. Candreva
responded to Dave Duffner:
>> Is there a way, possibly with SpamAssassin, to
>> simply reject anything not going to a valid user account?
CXC> I think the question is, why are you accepting mail that isn't
CXC> going to a valid user account in the first place ? This should
CXC> have happened in the SMTP dialog long before SA kicked in. As
CXC> soon as the sending site says
CXC> rcpt to: bogususer@yourdomain
CXC> You reply
CXC> 550 User unknown.
CXC> end of story.
As mail manager for three domains, we accept all mail regardless of
the validity of the destination email address. The reason is that we
get a significant fraction of ham addressed to slightly invalid
addresses (eg: email that should have gone to GoodUser@domain.com will
be addressed to GoodUsser@domain.com instead). We receive one or two
of these a week.
All of these are then fed through SA. Any that are flagged as spam get
dumped into our global spamtrap, and are reviewed briefly for FPs. We
receive about 5k spam a week across the three domains, and this FP
review takes about 5 min/day.
We do have some rules that check for reasonable validity of email
addresses. For instance, we have no email addresses that end in
multiple digits, so any /d/d\@domain.com can be flagged as spam and
dumped.
What we don't have is the ability to test for actually valid email
addresses. If we could add a plugin to our system that would check for
a) all valid pop3 account names, b) all valid auto-forwarding
addresses, and add SA points to any email that does not reference one
of these two classes of email addresses, that would be a big help to
our anti-spam work.
Exim apparently adds a Received header to our emails in the form
> Received from [source] by [our server] for [email address]; [date]
If we could read the email address from that header and compare it
against the two classes, that would be perfect.
Has anyone created or contemplated a plugin to do this sort of thing?
I can't write such plugin myself, but I'd be glad to discuss ideas
with anyone interested.
Bob Menschel
ps: In case anyone's concerned, we do NOT bounce any of this spam. All
spam gets sa-learned and then filed into our corpus, without bounce.
RE: slightly OT: sudden rise in Rumplestiltskin attacks?
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Tue, 26 Oct 2004, Dave Duffner - NWCWEB.com wrote:
> The Con is we see tons of sludge when a dictionary
> attack comes forth, if we had a method to simply reject that
> with a 550 or other response that'd leave just the important
> sludge so we can continue to write the SA rules and keep up
> the pace.
OK -- remember in your original question you wanted to 'reject' any mail to
a non-valid account, not "add a bunch of points to". :-)
Sounds like this would have to be custom, in terms of getting SA a
list of your valid users.
Also, if you do 'reject', make sure you do so in the original SMTP dialog,
or silently throw it away. Since these will almost all have bogus return
addresses to you do not want to accept then bounce. (Sorry if this is
obvious, I'm going on your original question).
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
RE: slightly OT: sudden rise in Rumplestiltskin attacks?
Posted by "Dave Duffner - NWCWEB.com" <we...@nwcweb.com>.
Chris,
Becomes a trade-off. It's easily possible to reject
on that basis, but the flavor of RH & Ensim Hosting OS on
each box allows for catch-all accounts. We've had to use
these for two reasons:
#1: Morons can't read and send e-mails just a few
hairs off and that mail is eaten. This was resulting in
a slew of calls and having our CSR's trying to explain to
brain dead individuals why they're not getting 'vital'
mail because their senders aren't addressing it right.
While this isn't an uncommon problem, we found handling
it in the fashion we're doing reduced that CSR load severely
and thus it's better in the long run. Entering in tons of
aliases isn't a solution either, just more workload.
#2: As I mentioned previously, users are habitually
lazy and don't implement the easily accessed spam controls
on their valid accounts. Thus tons of sludge gets into
valid accounts and we don't see it, they never complain
or forward any of it so we can write legitimate SA rules to
stem the balance of it (you know, all that fun drug, illegal
software and porn spam). So by picking up the sends to bogus
accounts, we get a look at the stuff and kill it off almost
instantly prior to the rest of it making it's way into our
user's accounts. This keeps them happy and paying the bill
when it arrives vs. comparing us to those who don't use this
practice. By the time SpamLords get their entire payload
out in small batches (to pass mass-mailing checks in place),
we've already stuck a new SA rule in place and we kill 90%
of them. High customer retention, minimal effort on our part.
The Con is we see tons of sludge when a dictionary
attack comes forth, if we had a method to simply reject that
with a 550 or other response that'd leave just the important
sludge so we can continue to write the SA rules and keep up
the pace.
We're using Sendmail as the MTA, nothing fancy there,
but it does pass through a Sendmail/MailScanner/ClamAV/SA
handling package prior to deleting, delivering or modifying
for notification delivery. That's worked quite well, don't
want to change that. Thus I asked what options we might have
for killing the large-scale dictionary attacks to the painfully
obvious garbage addresses.
David J. Duffner
VP Operations
NWC Corporation
NWCWEB.com
============================================
NWCWEB.com - Your Design & Hosting Solution!
Featuring Ensim Pro/Linux Servers, Hosted
Accounts, Web Design and e-Commerce services
NWC Corporation - Global e-Pay Solutions
============================================
> -----Original Message-----
> From: Christopher X. Candreva [mailto:chris@westnet.com]
> Sent: Tuesday, October 26, 2004 12:25 PM
> To: users@spamassassin.apache.org
> Subject: RE: slightly OT: sudden rise in Rumplestiltskin attacks?
>
>
> On Tue, 26 Oct 2004, Dave Duffner - NWCWEB.com wrote:
>
> > Is there a way, possibly with SpamAssassin, to
> > simply reject anything not going to a valid user account?
>
> I think the question is, why are you accepting mail that
> isn't going to a valid user account in the first place ? This should have
> happened in the SMTP dialog long before SA kicked in. As soon as the
sending site says
>
> rcpt to: bogususer@yourdomain
>
> You reply
>
> 550 User unknown.
>
> end of story.
>
> If you have a multi-layer mail system, where the accepting
> SMTP host doesn't have a list of account -- that that's the solution, but
how
> to do it will depend on your MTA.
>
> ==========================================================
> Chris Candreva -- chris@westnet.com -- (914) 967-7816
> WestNet Internet Services of Westchester http://www.westnet.com/
--
Message scanned by MailScanner, and is believed to be clean.
CONFIDENTIALITY NOTICE: This transmission intended for the
specified destination and person. If this is not you, this
e-mail must be deleted immediately. www.nwcweb.com
RE: slightly OT: sudden rise in Rumplestiltskin attacks?
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Tue, 26 Oct 2004, Dave Duffner - NWCWEB.com wrote:
> Is there a way, possibly with SpamAssassin, to
> simply reject anything not going to a valid user account?
I think the question is, why are you accepting mail that isn't going to a
valid user account in the first place ? This should have happened in the
SMTP dialog long before SA kicked in. As soon as the sending site says
rcpt to: bogususer@yourdomain
You reply
550 User unknown.
end of story.
If you have a multi-layer mail system, where the accepting SMTP host doesn't
have a list of account -- that that's the solution, but how to do it will
depend on your MTA.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
RE: slightly OT: sudden rise in Rumplestiltskin attacks?
Posted by "Dave Duffner - NWCWEB.com" <we...@nwcweb.com>.
We've had these, especially from some of the sources
listed below, for quite some time. But we've also
seen that same spike lately and a couple of worthless
attempts to hack into our servers and gain more ID's.
When that doesn't work, it's dictionary time and
they spew tons at us. If that fails, their next tactic
is to do dictionary hits to other destinations, but use
our domains and IP's to forge us as the source.
We've firewalled and sendmail rejected most of
the domains listed and all the APNIC, RIPE and other IP
ranges from overseas. If we get complaints, then we
investigate the source to determine it's genuine and
open that smaller range back up. Sad, but it's reduced
the workload by 75%.
Is there a way, possibly with SpamAssassin, to
simply reject anything not going to a valid user account?
I know you can /dev/null everything but then you miss
what's being spewed at you and the problem is never really
solved. They get their payloads to valid accounts and
the spam just continues.
What I'm asking for is some routing in SA or some
other program that could use some format to kill dictionary-
style attacks but let the normal name-based stuff pass to
be dealt with. Bob (even if there isn't one) would pass,
but INedfijDFJiIEjf@domain.whatever would instantly be
tossed.
Any options like that?
David J. Duffner
VP Operations
NWC Corporation
NWCWEB.com
============================================
NWCWEB.com - Your Design & Hosting Solution!
Featuring Ensim Pro/Linux Servers, Hosted
Accounts, Web Design and e-Commerce services
NWC Corporation - Global e-Pay Solutions
============================================
> -----Original Message-----
> From: Eric W. Bates [mailto:ericx_lists@vineyard.net]
> Sent: Tuesday, October 26, 2004 11:39 AM
> To: Pierre Thomson
> Cc: users@spamassassin.apache.org
> Subject: Re: slightly OT: sudden rise in Rumplestiltskin attacks?
>
>
> We got slammed with a whole series of dictionary attacks in June (as
> many as 500k per day against a variety of domains). And, yes, it
> brought SA to it's knees. Prior to the flood, we had always
> configured
> our customer's domains such that [fill-in-the-blank]@example.com was
> delivered to the customer's default address. This worked
> very well for
> the past 9 years; but we had to stop.
>
> Pierre Thomson wrote:
> > One of our relays got 8500 name-guessing spams yesterday,
> up from an
> > average of 2500 per day last week. So far today we have seen 6600,
> > and the day isn't half over. If our MTA weren't checking
> recipients
> > against our userlist, SA would be struggling to process
> these sudden
> > "blasts" of spam.
> >
> > The sending relays seem to be predominantly in Europe, and
> often make
> > about a dozen tries in rapid succession. Here are the relays that
> > sent name-guessing spams in a 2-minute period in the last hour:
> >
> > dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> > dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> > dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> > wjfyxcqb@dial-62-64-219-183.access.uk.tiscali.com [62.64.219.183]
> > omr-m01.mx.aol.com [64.12.138.1] m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > m96.net81-65-0.noos.fr [81.65.0.96]
> > xfcfzarq@[218.237.123.22]
> > mailout08.sul.t-online.com [194.25.134.20]
> > omr-m03.mx.aol.com [64.12.138.3]
> > rega.bezeqint.net [192.115.104.10]
> > seaattsmtp.avanade.com [12.129.10.40]
> > mailout04.sul.t-online.com [194.25.134.18]
> > mail.f-tech.net [65.161.2.16]
> > [219.128.36.245]
> > [219.128.36.245]
> > [210.206.241.100]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> > rh9150195.aspadmin.net [216.98.150.195]
> > mailout09.sul.t-online.com [194.25.134.84]
> > [219.128.36.245]
> > [219.128.36.245]
> > [219.128.36.245]
> > [219.128.36.245]
> > omr-m13.mx.aol.com [64.12.136.11]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> > cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> >
> > Are others seeing this? Any plausible explanation?
> >
> > Pierre Thomson
> > BIC
>
> --
> Message scanned by MailScanner, and is believed to be clean.
> CONFIDENTIALITY NOTICE: This transmission intended for the
> specified destination and person. If this is not you, this
> e-mail must be deleted immediately. www.nwcweb.com
>
--
Message scanned by MailScanner, and is believed to be clean.
CONFIDENTIALITY NOTICE: This transmission intended for the
specified destination and person. If this is not you, this
e-mail must be deleted immediately. www.nwcweb.com
Re: slightly OT: sudden rise in Rumplestiltskin attacks?
Posted by "Eric W. Bates" <er...@vineyard.net>.
We got slammed with a whole series of dictionary attacks in June (as
many as 500k per day against a variety of domains). And, yes, it
brought SA to it's knees. Prior to the flood, we had always configured
our customer's domains such that [fill-in-the-blank]@example.com was
delivered to the customer's default address. This worked very well for
the past 9 years; but we had to stop.
Pierre Thomson wrote:
> One of our relays got 8500 name-guessing spams yesterday, up from an average of 2500 per day last week. So far today we have seen 6600, and the day isn't half over. If our MTA weren't checking recipients against our userlist, SA would be struggling to process these sudden "blasts" of spam.
>
> The sending relays seem to be predominantly in Europe, and often make about a dozen tries in rapid succession. Here are the relays that sent name-guessing spams in a 2-minute period in the last hour:
>
> dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> dsl-082-082-054-141.arcor-ip.net [82.82.54.141]
> wjfyxcqb@dial-62-64-219-183.access.uk.tiscali.com [62.64.219.183]
> omr-m01.mx.aol.com [64.12.138.1]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> m96.net81-65-0.noos.fr [81.65.0.96]
> xfcfzarq@[218.237.123.22]
> mailout08.sul.t-online.com [194.25.134.20]
> omr-m03.mx.aol.com [64.12.138.3]
> rega.bezeqint.net [192.115.104.10]
> seaattsmtp.avanade.com [12.129.10.40]
> mailout04.sul.t-online.com [194.25.134.18]
> mail.f-tech.net [65.161.2.16]
> [219.128.36.245]
> [219.128.36.245]
> [210.206.241.100]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> fnfduse@user-206-234.kanetti.fi [82.103.206.234]
> rh9150195.aspadmin.net [216.98.150.195]
> mailout09.sul.t-online.com [194.25.134.84]
> [219.128.36.245]
> [219.128.36.245]
> [219.128.36.245]
> [219.128.36.245]
> omr-m13.mx.aol.com [64.12.136.11]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
> cxnlal@p508C37CB.dip.t-dialin.net [80.140.55.203]
>
> Are others seeing this? Any plausible explanation?
>
> Pierre Thomson
> BIC