|
 |
|||||||
|
Starting from approximately november 2002, a large quantity of spam advertising domains whose DNS is given by Ralsky-controlled chinese nameservers has been transmitted by forcing third-party relaying via SMTP Authentication. In the past these attacks were launched from dynamic IP connections located in the Chongqing chinese province, but there are recent observations of similar attacks coming from other provinces. In particular, the IP ranges involved are: 211.158.12.0 - 211.158.12.255 [cqnet.com.cn, SBL11978] 211.158.32.0 - 211.158.51.255 [cqnet.com.cn, SBL8282, SBL8680] 211.158.64.0 - 211.158.79.255 [cqnet.com.cn, SBL9326] 211.158.80.0 - 211.158.95.255 [cqnet.com.cn, SBL7496] 218.10.57.0 - 218.10.57.255 [cncgroup-HL, SBL11430] 218.10.190.0 - 218.10.190.255 [cncgroup-HL, SBL10918] 218.70.8.0 - 218.70.11.255 [chinanet-CQ, SBL10940] 218.70.136.0 - 218.70.151.255 [chinanet-CQ, SBL10246. SBL10247] 218.107.0.0 - 218.107.1.255 [china netcom, SBL12286] 219.153.144.0 - 219.153.159.255 [chinanet-CQ, SBL10536] Starting on november 2003, similar abuses (distributing the same kind of spam) are also seen to come from open proxies. Here is what typical headers look like: From achiever@yahoo.com Sun Aug 31 22:59:32 2003 Return-Path: <achiever@yahoo.com> Received: from t37931hzsrv01.mapframe.com (mapframe.com [216.91.170.2]) by __________ (Postfix) with ESMTP id 113E462D03 for <x>; Sun, 31 Aug 2003 22:59:28 +0200 (CEST) Received: from adjudging ([218.70.145.204]) by t37931hzsrv01.mapframe.com with Microsoft SMTPSVC(5.0.2195.5329); Sun, 31 Aug 2003 15:59:07 -0500 From: "Jan Banuelos" <achiever@yahoo.com> To: x Subject: HGH Can Create a New You for Spring Date: Sun, 5 May 2002 05:12:43 GMT Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 7bit Message-ID: <T37931HZSRV01v3zOdn00005024@t37931hzsrv01.mapframe.com> From pow@163.COM Tue Aug 19 17:21:35 2003 Return-Path: <pow@163.COM> Received: from ns.isoutsider.com (unknown [210.109.171.2]) by ___________ (Postfix) with ESMTP id 103A16E760 for <x>; Tue, 19 Aug 2003 17:21:28 +0200 (CEST) Received: from adventures ([211.158.91.33]) (authenticated) by ns.isoutsider.com (8.11.6/8.11.6) with ESMTP id h7JFLKK09867 for <x>; Wed, 20 Aug 2003 00:21:22 +0900 Message-Id: <200308191521.h7JFLKK09867@ns.isoutsider.com> Date: Wed, 23 Jan 2002 18:15:18 GMT From: "Rajendra Irwin" <pow@163.COM> To: x Subject: hypothalamus This looks like open relay spam, with 216.91.170.2 and 210.109.171.2 being the open relays. However, these two systems were not open relays in the traditional sense, and surely passed successfully all the relay tests when the spam was transmitted. So, one may be tempted to think that they were the spam origin or open proxies, and that the second Received line is forged. This is not the case. The Chongqing IPs 218.70.145.204 and 211.158.91.33 were indeed the real origin of the spam, and 216.91.170.2 and 210.109.171.2 were indeed third party relayers abused by the spammer. These relays were abused using SMTP AUTH. That is, the spammer supplied a valid username/password pair to the server, was authenticated, and therefore granted permission to send mail anywhere. Such attacks are therefore successful only when weak passwords are used. This spamhaus constantly scans the net to find abusable servers to use in subsequent spam runs. All brands of servers (sendmail, exchange, mdaemon, rockcliffe, etc) are equally targeted, as long as they support SMTP AUTH. The attacker tries several username/password pairs - such as with 'admin/admin' - following a certain pattern and hoping to find a combination that lets him in. An analysis done in july 2003 has shown that a total of 276 combinations are attempted (of course new ones can have been added in the meanwhile): Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc each with the following passwords: ${username}, ${username}12, ${username}123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&* as well as with a blank password. MDaemon users beware! The account creation tool of recent versions of MDaemon defaults the password to the account name. If the default is accepted, the account will be open to be exploited by this spamhaus. Exchange 5.5 and Exchange 2000 users beware! If the Guest account is active, your system may be vulnerable to exploitation (follow the link below for more detail). Spamhaus acknowledges and appreciates the efforts of other people in gathering the information presented here. 
Related URLsExchange Server SMTP AUTH Attacks (<============ Exchange users please read this) |
||||||
The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies. |
|
Alan Ralsky Index
|