SMTP AUTH Attacks: Readers Respond
More information about the most recent assault on Exchange.
October 15, 2003
Last week's UPDATE column about SMTP AUTH attacks (see the first URL below) struck a chord with readers. I received an interesting variety of questions, suggestions, and personal stories about your experiences with this kind of attack.
Dr. Thomas Shinder (a Microsoft MVP for Microsoft Internet Security and Acceleration--ISA--Server and author of two excellent books about deploying ISA Server) wrote to point out that you can use ISA Server to log SMTP AUTH traffic. Exchange Server doesn't log these transactions, but you can configure a perimeter firewall or SMTP proxy to monitor the rate of arriving commands and alert you when an attack appears to be underway. The rate of authentication requests that signals an attack will vary: A large company that typically receives 1000 requests per hour will need to set a higher threshold than a small university that receives only a few hundred requests per hour.
Several readers pointed out attack-related discussions on the North American Network Operators Group (NANOG) mailing list (see the second URL below). One report on the list claims that blocking a range of IP addresss from China will block SMTP AUTH attacks, but unless you're suffering from an extremely high volume of requests, this solution is likely to cause more problems than the attack itself.
Some readers wondered why someone would even bother to attempt to compromise random Internet-connected desktop machines. The answer: cold hard cash. Brian McWilliams' "WIRED" article "Cloaking Device Made for Spammers" (see the third URL below) describes how spammers are using compromised PCs to obscure the real location of the spammers' Web sites. If you haven't done so already, now would be a good time to have your users run an antivirus tool and a tool such as PestPatrol's free PestScan scanner (see the fourth URL below) to scan their machines. Rebuild any infected machines; don't try to clean them--getting rid of all the spyware is extremely difficult.
One thing is perfectly clear: Attacks such as the SMTP AUTH attack will continue. Spammers make their living by using large amounts of cheap computer power to flood the world with messages; now these miscreants are stealing computer power from others. We all need to be vigilant in making sure that our systems are secured and configured properly to reduce this type of abuse.
Paul Robichaux
"A New Kind of Attack"
http://www.exchangeadmin.com/articles/index.cfm?articleid=40507
North American Network Operators Group (NANOG)
http://www.nanog.org
Brian McWilliams
"Cloaking Device Made for Spammers"
http://www.wired.com/news/business/0,1367,60747,00.html
PestPatrol PestScan
http://www.pestpatrol.com
About the Author
You May Also Like