<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1264" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Tis one of the reasons why I've disabled SMTP AUTH
on all of my servers for now. I've known about this for a few weeks
now. Its not surprising. Most of the servers cracked are Exchange
servers (probably thanks to weak passwords), but I still don't feel like taking
a chance.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Exchage does a horrible job of logging, which is
why they are probably being targeted. Most real SMTP servers (sendmail,
exim, postfix, qmail) log failed attempts in the maillog or via PAM (if they use
it).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>--------------------------<BR>Brian Bruns<BR>The Summit Open Source
Development Group<BR>Open Solutions For A Closed World / Anti-Spam
Resources<BR><A href="http://www.2mbit.com">http://www.2mbit.com</A><BR>ICQ:
8077511</DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=bobgerman@irides.com href="mailto:bobgerman@irides.com">Bob
German</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=nanog@merit.edu
href="mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, October 10, 2003 10:59
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> New mail blocks result of
Ralsky's latest attacks?</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial size=2>A colleague
informed me this morning that Alan Ralsky is doing widespread bruteforce
attacks on SMTP AUTH, and they are succeeding, mainly because it's quick,
painless (for him), and servers and IDS signatures don't generally offer
protection against them.</FONT></SPAN></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial size=2>Could this be why
everyone's locking up their mail servers all of a sudden?</FONT></SPAN></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial size=2>Does anyone know
of a way to stop them?</FONT></SPAN></DIV>
<DIV><SPAN class=293065714-10102003><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV align=left>
<DIV align=left><SPAN class=753150415-27022003><FONT face=Arial
size=2>Bob</FONT></SPAN></DIV></DIV></BLOCKQUOTE></BODY></HTML>