Mailing List Message #15518
From: Bill Cole <>
Subject: Re: dictionary
Date: Tue, 14 Aug 2007 10:06:03 -0400
To: SIMS Discussions <>
At 11:38 PM -0500 8/13/07, billc  imposed structure on a stream of electrons, yielding:
At 9:17 PM -0500 8/13/07, Lewis Butler wrote:
On Aug 13, 2007, at 9:03 AM, Charles Mangin wrote:
since i took over hosting, all of these dictionary-style spams have been going nowhere, being rejected out of hand with "<<< 550 Unrouteable address". i know i can't do anything more than ignore them and hope they will move on to some other target but... sheesh. six months? with nothing to show for it? you'd think there'd be some sort of list purging in all that time.

Well, you can do something about it, you can blacklist IP addresses that send too many bad messages where too many is a number you chose.

I wish that were true.  Recently the dictionary attacks are coming from completely unrelated IPs - you can sit there and watch the logs roll by and know that it's a dictionary attack, but none of the IPs match any other.  It's obviously a botnet or an IP spoofing scheme.

OUCH! You've pushed one of my buttons there....

IP spoofing for SMTP or any other chatting protocol over TCP is effectively impossible in the wild. The legends about IP spoofing date to the early 90's and  are grounded in very narrow facts. The Mitnick attack only worked against rsh and rexec on machines using the traditional (perfectly predictable) BSD initial sequence number selection pattern. Those protocols (and in particular the BSD implementations of the time) could be made to do harm with commands carried in single packets, so a spoofer did not have the problem of having to guess about the target system's response to make the attack work. On the modern net, ISN prediction is always a low-yield game and maintaining the charade past the first packet is extremely hard for a protocol like SMTP where every server responds a little differently. There are complex multi-box attack modes that have been theorized for IP spoofing of TCP-based traffic, and special cases like BGP where low-yield probabilistic approaches can be made to work, but there is a commonality to those: they attack very specific high-value targets that have very valuable trust of particular IP's. There is no known way to just pick any random IP to spoof for TCP traffic and change it on a whim, and anyone who had such a capability would almost certainly not be wasting it on a low-return trick like spamming that has such high visibility.

In short: you can forget about IP spoofing as an explanation for anything based on TCP and involving a shotgun approach. Botnets of tens of thousands of cracked Windows machines are available for rent and provide a far more useful tool than spoofing for most such purposes.

Blacklists likely won't help much there.

Actually, they can. The Spamhaus Zen list (particularly the CBL and PBL components) does a pretty good job keeping up with compromised machines and the Spamcop BL has become a far better tool for such machines than it used to be, Ironport having apparently decided to turn it into a serious operational tool rather than a way for anti-spam activists to annoy big dumb ISP's. (as a professional mail admin who is also an anti-spam activist, I have some mixed feelings about that...)

I've also found that for small sites (anyone running SIMS today has to qualify) it is likely to be very helpful to handle your own local blacklist in a way that would be unsuitable for most public lists. For example, most small sites in the US could forbid all of 80-92.*, 210-211.*, and 122-125.* and never lose any legitimate mail.

Bill Cole                        

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster