2010-04-05
Interesting (for me) new type of account ...
Interesting (for me) new type of account guessing attack: trying smtp accounts. I saw the following in the maillogs:Apr 5 22:33:59 greenblatt sm-mta[19364]: o35KXpPO019364: [92.241.190.15]: possible SMTP attack: command=AUTH, count=7 Apr 5 22:34:08 greenblatt sm-mta[19082]: o35KVkYF019082: [92.241.190.15] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6I was wondering what was happening on smtp level and used tcpdump to find out:220 kzdoos.xs4all.nl ESMTP Sendmail 8.14.2/8.14.2/Debian-2build1; Mon, 5 Apr 2010 20:47:05 +0200; (No UCE/UBE) logging access from: [92.241.190.15](FAIL)-[92.241.190.15] EHLO jtrmuwev.com 250-kzdoos.xs4all.nl Hello [92.241.190.15], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP AUTH CRAM-MD5 334 PDI3MjU0Mjc5OC4xMjIwMjEwMkBremRvb3MueHM0YWxsLm5sPg== MTExIDk5ODY0YTY5YWI3ODIxMmI3YzgxMjhkOGFmNWM4MjUw 535 5.7.0 authentication failed 535 5.7.0 authentication failed RSET 250 2.0.0 Reset state AUTH CRAM-MD5 334 PDEyODQ3MDgxMTYuMTIyMDIxMDNAa3pkb29zLnhzNGFsbC5ubD4= MTExIDU2YmU3OGYwMGE1MTA5ZmI4OWZmMDFhOGRmMDdjMTBh 535 5.7.0 authentication failed 535 5.7.0 authentication failed RSET 250 2.0.0 Reset state AUTH CRAM-MD5 334 PDE4OTQxOTc2MS4xMjIwMjEwNEBremRvb3MueHM0YWxsLm5sPg== MTExIDE4YmEyYWY2M2MyYjA2Y2Q4OWUxMDE4Y2E2NjY3MmM1 535 5.7.0 authentication failedThe base64 encoded bits decode to:<272542798.12202102@kzdoos.xs4all.nl> 111 99864a69ab78212b7c8128d8af5c8250 <1284708116.12202103@kzdoos.xs4all.nl> 111 56be78f00a5109fb89ff01a8df07c10a <189419761.12202104@kzdoos.xs4all.nl> 111 18ba2af63c2b06cd89e1018ca66672c5Which is normal challenge-response for CRAM-MD5 authentication. So my best guess is either trying to find valid accounts for other attacks in a way which does not hit a rate limiter (yet) which would mean a targeted attack or just a way to find an account for relaying spam.