Re: [exim] Spamtrap harvesting idea using fake authenticatio…

Top Page
Delete this message
Reply to this message
Author: Jan Ingvoldstad
Date:  
To: exim users
Subject: Re: [exim] Spamtrap harvesting idea using fake authentication
On Thu, Jun 6, 2013 at 8:52 PM, Marc Perkel <marc@???> wrote:

> Here's an idea I'm working on. Wondering if anyone else is interested in
> participating.
>
> As you all know there are a lot of SMTP servers (inbound) where there is o
> authentication option. And we all know that there are lots of hackers and
> hack viruses that work on authenticated smtp servers looking for weak
> passwords so they can authenticate and send spam.
>
> Suppose we reconfigured servers with no authentication configuration to
> advertise that they take authentication and that you have a fake
> authenticator that accepts any password.
>


That is an interesting idea. But:


>
> Of course you know that anyone authenticating to the server is spamming.
> But we can harvest the IP and add them to a blacklist.
>
> Does anyone find this interesting?
>
> If you do I'm still experimenting but once I like the setup I can send you
> code that will allow me to collect IP addresses of people hacking your
> system.
>


It is interesting, but what if we expand on the idea a bit more and add
metrics?

- Number of failed authentication attempts for a valid account within a
time frame
- Number of failed authentication attempts for one or more accounts from a
given IP address
- Number of IP addresses failing authentication attempts for a valid account
- The same as above, but for invalid accounts

One typical behaviour today is slow-motion authentication attempts for
possibly valid accounts, and the most obvious pattern is a spread in IP
addresses and few attempts per IP address.

This is probably due to rate limiting having existed for SMTP servers for
quite a while, as opposed to for webservers – see the recent hubbub about
brute force password attacks on WordPress admin users, for instance.

The Bonus with your proposal is: by storing these metrics, it is possible
to build a local database of likely compromised hosts, which conceivably
could be treated as second class citizens not just for SMTP connections,
but also for other kinds of traffic. Also, gathering this data may make it
possible to alert appropriate abuse departments.
--
Jan