Transparent hijacking of SMTP submission...

Suresh Ramasubramanian ops.lists at gmail.com
Fri Nov 28 01:13:52 UTC 2014


Oh it depends on the numbers.

Just how many legitimate smtp submission attempts do you get from say an
access point at Joes diner in nowhere, OH?

Versus just how many password cracking and malware relay attempts across
how many of your users, from an unpatched xp box the guy is using for a
billing app?

At the scale of the problem a provider with any kind of userbase faces, you
need a chainsaw, not a scalpel, given that you're out to cut a tree rather
than perform plastic surgery.
 On Nov 28, 2014 6:08 AM, "Mark Andrews" <marka at isc.org> wrote:

>
> In message <CAArzuouvhnHo7BbAWUwiR3=m0x2O6Qe=
> 2qLcvb29i07OaX-yqg at mail.gmail.com>
> , Suresh Ramasubramanian writes:
> >
> > Yes. Till that hotspots IP space gets blackholed by a major freemail
> > because of all the nigerians and hijacked devices emitting bot traffic
> > through stolen auth credentials.
>
> Why would it black hole the address rather than the block the
> compromised credentials?  The whole point of submission is to
> authenticate the submitter and to be able to trace spam back to the
> submitter and deal with the issue at that level of granuality.
>
> Blocking at that level also stop the credentials being used from
> anywhere.
>
> scalpel vs chainsaw.
>
> Just because you provide free email doesn't give you the right to
> not do the service properly.  You encouraged people to use your
> service.  You should resource it to deal with the resulting load
> and that includes dealing with spam and scans being sent with stolen
> credentials.  As a free email provider you have the plain text.
>
> Mark
>
> > There's other ways to stop this but they take actual hard work and rather
> > more gear than a rusted up old asa you pull out of your closet as like as
> > not.
> >  On Nov 28, 2014 2:10 AM, "Mark Andrews" <marka at isc.org> wrote:
> >
> > >
> > > Which is why your MTA should always be setup to require the use of
> > > STARTTLS.  Additionally the CERT presented should also match the
> > > name of the server.
> > >
> > > There is absolutely no reason for a ISP / hotspot to inspect
> > > submission traffic.  The "stopping spam" argument doesn't wash with
> > > submission.
> > >
> > > Mark
> > >
> > > In message <54778167.7080808 at bogus.com>, joel jaeggli writes:
> > > >
> > > > I don't see this in my home market, but I do see it in someone
> else's...
> > > > I kind of expect this for port 25 but...
> > > >
> > > > J at mb-aye:~$telnet 147.28.0.81 587
> > > > Trying 147.28.0.81...
> > > > Connected to nagasaki.bogus.com.
> > > > Escape character is '^]'.
> > > > 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov
> 2014
> > > > 19:17:44 GMT
> > > > ehlo bogus.com
> > > > 250-nagasaki.bogus.com Hello XXXXXXXXXXXXXXX.wa.comcast.net
> > > > [XXX.XXX.XXX.XXX], pleased to meet you
> > > > 250 ENHANCEDSTATUSCODES
> > > >
> > > > J at mb-aye:~$telnet 2001:418:1::81 587
> > > > Trying 2001:418:1::81...
> > > > Connected to nagasaki.bogus.com.
> > > > Escape character is '^]'.
> > > > 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov
> 2014
> > > > 19:18:33 GMT
> > > > ehlo bogus.com
> > > > 250-nagasaki.bogus.com Hello
> > > > [IPv6:2601:7:2380:XXXX:XXXX:XXXX:c1ae:7d73], pleased to meet you
> > > > 250-ENHANCEDSTATUSCODES
> > > > 250-PIPELINING
> > > > 250-8BITMIME
> > > > 250-SIZE
> > > > 250-DSN
> > > > 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
> > > > 250-STARTTLS
> > > > 250-DELIVERBY
> > > > 250 HELP
> > > >
> > > > that's essentially a downgrade attack on my ability to use encryption
> > > > which seems to be in pretty poor taste frankly.
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> > >
> >
> > --bcaec517c6c01f783d0508e015a5
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
> >
> > <p dir=3D"ltr">Yes. Till that hotspots IP space gets blackholed by a
> major =
> > freemail because of all the nigerians and hijacked devices emitting bot
> tra=
> > ffic through stolen auth credentials. </p>
> > <p dir=3D"ltr">There's other ways to stop this but they take actual
> har=
> > d work and rather more gear than a rusted up old asa you pull out of
> your c=
> > loset as like as not. <br>
> > </p>
> > <div class=3D"gmail_quote">On Nov 28, 2014 2:10 AM, "Mark
> Andrews&quot=
> > ; <<a href=3D"mailto:marka at isc.org">marka at isc.org</a>> wrote:<br
> type=
> > =3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
> .8=
> > ex;border-left:1px #ccc solid;padding-left:1ex"><br>
> > Which is why your MTA should always be setup to require the use of<br>
> > STARTTLS.=C2=A0 Additionally the CERT presented should also match the<br>
> > name of the server.<br>
> > <br>
> > There is absolutely no reason for a ISP / hotspot to inspect<br>
> > submission traffic.=C2=A0 The "stopping spam" argument
> doesn'=
> > t wash with<br>
> > submission.<br>
> > <br>
> > Mark<br>
> > <br>
> > In message <<a href=3D"mailto:54778167.7080808 at bogus.com
> ">54778167.70808=
> > 08 at bogus.com</a>>, joel jaeggli writes:<br>
> > ><br>
> > > I don't see this in my home market, but I do see it in someone
> els=
> > e's...<br>
> > > I kind of expect this for port 25 but...<br>
> > ><br>
> > > J at mb-aye:~$telnet 147.28.0.81 587<br>
> > > Trying 147.28.0.81...<br>
> > > Connected to <a href=3D"http://nagasaki.bogus.com"
> target=3D"_blank">n=
> > agasaki.bogus.com</a>.<br>
> > > Escape character is '^]'.<br>
> > > 220 <a href=3D"http://nagasaki.bogus.com"
> target=3D"_blank">nagasaki.b=
> > ogus.com</a> ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014<br>
> > > 19:17:44 GMT<br>
> > > ehlo <a href=3D"http://bogus.com" target=3D"_blank">bogus.com
> </a><br>
> > > <a href=3D"http://250-nagasaki.bogus.com"
> target=3D"_blank">250-nagasa=
> > ki.bogus.com</a> Hello <a href=3D"http://XXXXXXXXXXXXXXX.wa.comcast.net"
> ta=
> > rget=3D"_blank">XXXXXXXXXXXXXXX.wa.comcast.net</a><br>
> > > [XXX.XXX.XXX.XXX], pleased to meet you<br>
> > > 250 ENHANCEDSTATUSCODES<br>
> > ><br>
> > > J at mb-aye:~$telnet 2001:418:1::81 587<br>
> > > Trying 2001:418:1::81...<br>
> > > Connected to <a href=3D"http://nagasaki.bogus.com"
> target=3D"_blank">n=
> > agasaki.bogus.com</a>.<br>
> > > Escape character is '^]'.<br>
> > > 220 <a href=3D"http://nagasaki.bogus.com"
> target=3D"_blank">nagasaki.b=
> > ogus.com</a> ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014<br>
> > > 19:18:33 GMT<br>
> > > ehlo <a href=3D"http://bogus.com" target=3D"_blank">bogus.com
> </a><br>
> > > <a href=3D"http://250-nagasaki.bogus.com"
> target=3D"_blank">250-nagasa=
> > ki.bogus.com</a> Hello<br>
> > > [IPv6:2601:7:2380:XXXX:XXXX:XXXX:c1ae:7d73], pleased to meet you<br>
> > > 250-ENHANCEDSTATUSCODES<br>
> > > 250-PIPELINING<br>
> > > 250-8BITMIME<br>
> > > 250-SIZE<br>
> > > 250-DSN<br>
> > > 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN<br>
> > > 250-STARTTLS<br>
> > > 250-DELIVERBY<br>
> > > 250 HELP<br>
> > ><br>
> > > that's essentially a downgrade attack on my ability to use
> encrypt=
> > ion<br>
> > > which seems to be in pretty poor taste frankly.<br>
> > --<br>
> > Mark Andrews, ISC<br>
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
> =C2=
> > =A0 =C2=A0INTERNET: <a href=3D"mailto:marka at isc.org">marka at isc.org
> </a><br>
> > </blockquote></div>
> >
> > --bcaec517c6c01f783d0508e015a5--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>


More information about the NANOG mailing list