<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1264" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Just FYI, I am putting together another paper as we
speak on how to secure your mail servers against this type of attack.
Should be online by this afternoon at the latest.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Ok, this is where I need to ask for your guys help
as well. If anyone here has experience with postfix or qmail, please let
me know if you know ways of securing these mail servers from these kinds of
attacks. I'm familiar with sendmail, exim, and exchange.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>--------------------------<BR>Brian Bruns<BR>The Summit Open Source
Development Group<BR>Open Solutions For A Closed World / Anti-Spam
Resources<BR><A href="http://www.2mbit.com">http://www.2mbit.com</A><BR>ICQ:
8077511</DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=bruns@2mbit.com href="mailto:bruns@2mbit.com">Brian Bruns</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=bobgerman@irides.com
href="mailto:bobgerman@irides.com">Bob German</A> ; <A title=nanog@merit.edu
href="mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, October 10, 2003 11:12
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: New mail blocks result of
Ralsky's latest attacks?</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Tis one of the reasons why I've disabled SMTP
AUTH on all of my servers for now. I've known about this for a few weeks
now. Its not surprising. Most of the servers cracked are Exchange
servers (probably thanks to weak passwords), but I still don't feel like
taking a chance.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Exchage does a horrible job of logging, which is
why they are probably being targeted. Most real SMTP servers (sendmail,
exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they
use it).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>--------------------------<BR>Brian Bruns<BR>The Summit Open Source
Development Group<BR>Open Solutions For A Closed World / Anti-Spam
Resources<BR><A href="http://www.2mbit.com">http://www.2mbit.com</A><BR>ICQ:
8077511</DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=bobgerman@irides.com href="mailto:bobgerman@irides.com">Bob
German</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=nanog@merit.edu
href="mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, October 10, 2003 10:59
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> New mail blocks result of
Ralsky's latest attacks?</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial size=2>A colleague
informed me this morning that Alan Ralsky is doing widespread bruteforce
attacks on SMTP AUTH, and they are succeeding, mainly because it's quick,
painless (for him), and servers and IDS signatures don't generally offer
protection against them.</FONT></SPAN></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial size=2>Could this be
why everyone's locking up their mail servers all of a
sudden?</FONT></SPAN></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial size=2>Does anyone know
of a way to stop them?</FONT></SPAN></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV align=left>
<DIV align=left><SPAN class=753150415-27022003><FONT face=Arial
size=2>Bob</FONT></SPAN></DIV></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>