New mail blocks result of Ralsky's latest attacks?

• Previous message (by thread): New mail blocks result of Ralsky's latest attacks?
• Next message (by thread): New mail blocks result of Ralsky's latest attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

MessageJust FYI, I am putting together another paper as we speak on how to secure your mail servers against this type of attack.  Should be online by this afternoon at the latest.

Ok, this is where I need to ask for your guys help as well.  If anyone here has experience with postfix or qmail, please let me know if you know ways of securing these mail servers from these kinds of attacks.  I'm familiar with sendmail, exim, and exchange.



--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
  ----- Original Message ----- 
  From: Brian Bruns 
  To: Bob German ; nanog at merit.edu 
  Sent: Friday, October 10, 2003 11:12 AM
  Subject: Re: New mail blocks result of Ralsky's latest attacks?


  Tis one of the reasons why I've disabled SMTP AUTH on all of my servers for now.  I've known about this for a few weeks now.  Its not surprising.  Most of the servers cracked are Exchange servers (probably thanks to weak passwords), but I still don't feel like taking a chance.

  Exchage does a horrible job of logging, which is why they are probably being targeted.  Most real SMTP servers (sendmail, exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use it).

  --------------------------
  Brian Bruns
  The Summit Open Source Development Group
  Open Solutions For A Closed World / Anti-Spam Resources
  http://www.2mbit.com
  ICQ: 8077511
    ----- Original Message ----- 
    From: Bob German 
    To: nanog at merit.edu 
    Sent: Friday, October 10, 2003 10:59 AM
    Subject: New mail blocks result of Ralsky's latest attacks?


    A colleague informed me this morning that Alan Ralsky is doing widespread bruteforce attacks on SMTP AUTH, and they are succeeding, mainly because it's quick, painless (for him), and servers and IDS signatures don't generally offer protection against them.

    Could this be why everyone's locking up their mail servers all of a sudden?

    Does anyone know of a way to stop them?

    Bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20031010/8dc5fdcf/attachment.html>

• Previous message (by thread): New mail blocks result of Ralsky's latest attacks?
• Next message (by thread): New mail blocks result of Ralsky's latest attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]