Interesting (for me) new type of account ... / 2010-04-05

2010-04-05 Interesting (for me) new type of account ... 10 years ago
Interesting (for me) new type of account guessing attack: trying smtp accounts. I saw the following in the maillogs:
Apr  5 22:33:59 greenblatt sm-mta[19364]: o35KXpPO019364: [92.241.190.15]: possible SMTP attack: command=AUTH, count=7
Apr  5 22:34:08 greenblatt sm-mta[19082]: o35KVkYF019082: [92.241.190.15] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
I was wondering what was happening on smtp level and used tcpdump to find out:
220 kzdoos.xs4all.nl ESMTP Sendmail 8.14.2/8.14.2/Debian-2build1; Mon, 5 Apr 2010 20:47:05 +0200; (No UCE/UBE) logging access from: [92.241.190.15](FAIL)-[92.241.190.15]
EHLO jtrmuwev.com
250-kzdoos.xs4all.nl Hello [92.241.190.15], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH CRAM-MD5
334 PDI3MjU0Mjc5OC4xMjIwMjEwMkBremRvb3MueHM0YWxsLm5sPg==
MTExIDk5ODY0YTY5YWI3ODIxMmI3YzgxMjhkOGFmNWM4MjUw
535 5.7.0 authentication failed
535 5.7.0 authentication failed
RSET
250 2.0.0 Reset state
AUTH CRAM-MD5
334 PDEyODQ3MDgxMTYuMTIyMDIxMDNAa3pkb29zLnhzNGFsbC5ubD4=
MTExIDU2YmU3OGYwMGE1MTA5ZmI4OWZmMDFhOGRmMDdjMTBh
535 5.7.0 authentication failed
535 5.7.0 authentication failed
RSET
250 2.0.0 Reset state
AUTH CRAM-MD5
334 PDE4OTQxOTc2MS4xMjIwMjEwNEBremRvb3MueHM0YWxsLm5sPg==
MTExIDE4YmEyYWY2M2MyYjA2Y2Q4OWUxMDE4Y2E2NjY3MmM1
535 5.7.0 authentication failed
The base64 encoded bits decode to:
<272542798.12202102@kzdoos.xs4all.nl>
111 99864a69ab78212b7c8128d8af5c8250

<1284708116.12202103@kzdoos.xs4all.nl>
111 56be78f00a5109fb89ff01a8df07c10a

<189419761.12202104@kzdoos.xs4all.nl>
111 18ba2af63c2b06cd89e1018ca66672c5
Which is normal challenge-response for CRAM-MD5 authentication. So my best guess is either trying to find valid accounts for other attacks in a way which does not hit a rate limiter (yet) which would mean a targeted attack or just a way to find an account for relaying spam.

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004520 seconds.