[Mimedefang] Re: dictionary attacks looking for a valid user

Joseph Brennan brennan at columbia.edu
Thu Dec 29 12:59:20 EST 2005

--On Thursday, December 29, 2005 9:05 AM -0600 Alan Lehman 
<alehman at gbutler.com> wrote:

> I rarely see dictionary attacks from a single relay. Recently the
> majority of such attacks on my systems seem to be of distributed origin
> using random #/letter user names. They come in waves, sometimes a day or
> two of several thousand per hour, from various random sources, then it
> calms down for a while. I suspect some type of bot is at work.

They come from bot nets.  Several hundred 'owned' Windows boxes will
test addresses, or actually send spam or virus, often in roughly
alphabetical order over a period of many hours.  Each IP checks or
sends to only 5 to 10 addresses, and this is intended to fly past
anything counting messages per host in real time or even reports
of a day's activity.

The bot nets consist of zombies that do the work and controllers that
send instructions to the zombies.  The networks are created by
exploiting documented unpatched security holes and by sending viruses
that open more security holes.

To some extent I've reduced the problem with--
	define(`confBAD_RCPT_THROTTLE', `2')
--in sendmail.mc, cutting down on how many addresses they can check.
The concept was that zombies don't queue and re-try.  However our logs
recently have evidence that now they do re-try.

Joe Brennan


More information about the MIMEDefang mailing list