Fighting SPAM: SMTP auth attacks from spammers on the rise

SMTP auth attacks are on the rise again. What does this mean?

Exchange and many other messaging servers support authenticated SMTP, meaning the use of a username/password combination in order to send mail. Spammers can then use a closed relay, i.e. a mail server that should not be sending mail on anyone else’s behalf except for the owning organization, and use the authentication mechanism to relay spam. This is a really popular kind of attack, since servers that have been locked down to every other kind of relay attack, now are wide open for exploitation.

How does it work?
Spammers use a technique know as brute force dictionary attacks, meaning that thousands of combinations of usernames and passwords are generated in order to guess which combination may work for your server, pretty similar to picking a lock. Once a valid combination is found, spammers can then use a previously locked down server to send out spam.

How can this attack be made visible?
Regular monitoring of mail queues. Any mail queues which contain mail items which obviously do not originate from known recipients inside the org, especially in high volumes are a giveaway, especially combined with a recent black listing on several real-time block lists.

How can it be prevented?
Separate incoming and outgoing Virtual SMTP Servers, and switch off SMTP authentication on the internet facing SMTP stack. Switch on diagnostics logging and watch out for –auth and –transport events which don’t originate from the inside of the organization.  Change users password which have been compromised and watch for similar events. Ensure that guest accounts are disabled and that strong passwords are enabled for all users and service accounts.

Even better, put something else in front of Exchange to absorb incoming SMTP mail, which does not support the use of SMTP authentication and combines it with a number of other anti spam filters. Since Exchange by nature is fantastically feature rich, however, unless Exchange is secured properly it may be best to not have Exchange be internet facing. Multi level and multi vendor protection is often the best approach to securing against spam attacks, along with regular monitoring and a well thought out configuration, most known spam attacks, including SMTP auth attacks, can be prevented.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • StumbleUpon
  • del.icio.us
  • Slashdot
  • Technorati
  • Reddit
  • NewsVine
  • Facebook
  • Google
  • TwitThis
  • Mixx
  • Furl
  • Live
  • Ma.gnolia
This entry was written by Nicolas Blank and posted on May 27, 2008 at 9:32 am and filed under Fighting spam, anti spam. Bookmark the permalink. Follow any comments here with the RSS feed for this post.

Related Posts

Leave a Reply