Failed SMTP Authentication from Huge Botnet
Problem reported by Paul White - October 3 at 5:37 PM
Submitted
Recently a client's email accounts were compromised and used to send out that modern virus email, that typically has the subject about payment or invoice, and then has a word doc attached with a macro virus.  Ever since those accounts were compromised and we updated the passwords, a huge BotNet has been trying to authenticate on the server using many of those compromised accounts.  This BotNet has thousands of IPs ( compromised systems ) at its disposal.  The common thing is on the EHLO or HELO command its always a 10.x.x.x So I have added a SMTP filter to reject connections with that.  I even added some custom coding to adding those IPs to the Firewall.  Unfortunately I am finding that some ISP.  AT&T wireless for example will use that same hostname when attempting to authenticate.  Last time I checked my Firewall it was blocking over 10K IPs from that BotNet.

Any advice to dealing with this?
Any way to report IPs being controlled by a BOTNET in an automated way?

5 Replies

Reply to Thread
0
Maybe see if your upstream provider can block them or somehow filter them ? 
Make a honeypot, or redirect all of that traffivcer over to the FBI servers so they can look at it ?  hehehehe

Curious what firewall are you using ?  when you say custom coding, as in you got SM to export to the firewall or the firewall to import the list ?
I was looking at PFSense to do something similar as we have a few standard attackers that are sucking down a lot of server resources. I look at our smarter mail logs and i see something like 60% of the activity is saying "blocked" or "banned" or"rejected" for various reasons. i want to eliminate our server having to deal with that and offload it to the firewall.

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

0
Paul White Replied
I don't think its anything my provider could block.  Unless there is some special blacklist of Known compromised IPs.  I am just using the Windows Firewall, but I have a few custom .NET scripts I wrote that scan the SMTP logs every minute for suspicious activity.   I then have a seperate list of BadWords that it looks for. If it finds a match, then it grabs the IP and adds it to the firewall.    The Botnet stopped its attack a couple days ago.  Not sure if I finally blocked all its IPs, or it just gave up.  I am thinking the later.  
0
echoDreamz Replied
We have filtering through Level 3 that does a dang good job filtering out malicious traffic, DDOS attacks etc. Keeps away a ton of junk from hitting our routers.

Christopher

0
Paul White Replied
It wasn't really a DDOS attack.  They just used thousands of compromised machines to test passwords on SMTP Authentication.  Every IP was different making the game of blocking IPs ("Wack a Mole").  It was coordinated, as the requests would come every second or so.  At no times did it overwhelm the server.  Just annoying.
0
echoDreamz Replied
Yep, Level 3 protects us from items like this as well. They monitor traffic from all over their network, not just to us. They use historic data, traffic patterns etc. and based on our filtering level and other options that we configure either blackhole the connection or limit it.

Christopher

Reply to Thread