SMTP username dictionary attack

[Rich Puhek <rpuhek () etnsystems com>]

We recently (last night) saw an interesting variation of an SMTP 
dictionary attack. I'm reporting it here for two unique characteristics:

1) It was a temporary DOS against the victim server (despite SMTP RCPT 
throttling). It appeared that the initial connection was sending a huge 
volume of addresses in a single RCPT, and was aggressively initiating 
more RCPT connections. The connection rate throttle did trigger, but the 
sheer volume of bad recipients appeared to mean it was too late.

2) Rather than a traditional dictionary attack, a brute-force attack was 
used, starting with two-letter usernames, then moving on to three-letter 
names. Some combinations appeared to be missing, but basicly it was 
progressing though all alphabetic combinations. Interestingly, the "most 
significant letter" if you will appeared to be the rightmost, as in:
aa
ba
ca
da
...
ab
bb
cb
...
wz
xz
yz
baa
caa
daa
eaa
....

They made it all the way to "xcfha" before I intervened.

Source machine appears to be an AT&T cable modem. Appropriate AT&T 
contacts have been listed. Woke me up in the middle of the night, so I 
didn't spend much time in analysis, I just started dropping SMTP from 
that machine at the border.

As an off-topic idea... if this becomes common, it would be awfully fun 
to poison their spamlist by pretending all of the addresses were valid :-).

--Rich

_________________________________________________________

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel:   218.262.1130
email: rpuhek () etnsystems com
_________________________________________________________


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>