SMTP AUTH Attacks: Readers Respond

More information about the most recent assault on Exchange.

Paul Robichaux

October 15, 2003

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Last week's UPDATE column about SMTP AUTH attacks (see the first URL below) struck a chord with readers. I received an interesting variety of questions, suggestions, and personal stories about your experiences with this kind of attack.

Dr. Thomas Shinder (a Microsoft MVP for Microsoft Internet Security and Acceleration--ISA--Server and author of two excellent books about deploying ISA Server) wrote to point out that you can use ISA Server to log SMTP AUTH traffic. Exchange Server doesn't log these transactions, but you can configure a perimeter firewall or SMTP proxy to monitor the rate of arriving commands and alert you when an attack appears to be underway. The rate of authentication requests that signals an attack will vary: A large company that typically receives 1000 requests per hour will need to set a higher threshold than a small university that receives only a few hundred requests per hour.

Several readers pointed out attack-related discussions on the North American Network Operators Group (NANOG) mailing list (see the second URL below). One report on the list claims that blocking a range of IP addresss from China will block SMTP AUTH attacks, but unless you're suffering from an extremely high volume of requests, this solution is likely to cause more problems than the attack itself.

Some readers wondered why someone would even bother to attempt to compromise random Internet-connected desktop machines. The answer: cold hard cash. Brian McWilliams' "WIRED" article "Cloaking Device Made for Spammers" (see the third URL below) describes how spammers are using compromised PCs to obscure the real location of the spammers' Web sites. If you haven't done so already, now would be a good time to have your users run an antivirus tool and a tool such as PestPatrol's free PestScan scanner (see the fourth URL below) to scan their machines. Rebuild any infected machines; don't try to clean them--getting rid of all the spyware is extremely difficult.

One thing is perfectly clear: Attacks such as the SMTP AUTH attack will continue. Spammers make their living by using large amounts of cheap computer power to flood the world with messages; now these miscreants are stealing computer power from others. We all need to be vigilant in making sure that our systems are secured and configured properly to reduce this type of abuse.

Paul Robichaux

"A New Kind of Attack"

http://www.exchangeadmin.com/articles/index.cfm?articleid=40507

North American Network Operators Group (NANOG)

http://www.nanog.org

Brian McWilliams

"Cloaking Device Made for Spammers"

http://www.wired.com/news/business/0,1367,60747,00.html

PestPatrol PestScan

http://www.pestpatrol.com

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like