This particular botnet, (and you can tell this strain by the password
list attempted, and the number of attempts from each IP) appears to come
from at least two(2) actors, one which is a windows malware on older
windows machines, and the other uses the gpon/router compromisd botnets.
Interestingly, the bot appears to simply 'harvest' those email accounts
if finds with weak passwords, and later uses a different system to
actually utilize the compromised system, so maybe someone is just
harvesting those for resale, but usually it is within a couple of days
of the compromise, that it gets utilized.
Seeing a lot of utilization from cloud providers, eg Azure, Google and
AWS for these utilization.
You should prevent logins from the cloud, for the most part.. The IP
ranges (see earlier threads) are public knowledge.
(Shameless plug, you can use RATS-AUTH and RATS-NULL for blocking auth
attacks, and he are looking at making RATS-CLOUD public)
But as far as those attacks from dynamic IP ranges, and IoT devices,
well careful what you block, because that is where real people access it
from.
We do have country auth blocking on all our mitigation tools and mail
platforms, and that is really helpful, and of course transparent 2FA
should be used, and then it simply becomes noise in the logs.
(Until that one customer decides to travel to Brazil ;)
But even with country auth blocking, the real dangerous hackers simply
get an IP address in your country. And while fail2ban is everyone's go
to, remember that the botnets number in the millions, so they can simply
do a couple of auth attacks from each IP, and spread the attack out.
And of course, you should have auth rate limiters on an individual user
basis, a trick we use is checking rate limiters per person on an IP
Address + EHLO basis, which can really help for the majority, and there
are some bots that randomize the EHLo in attacks, making it trickier,
but the type of randomization they use is a signal all on it's own.
And nowadays, with more use of Carrier Grade NAT, or really large wifi
networks you have to be careful that one bad actor, doesn't block out a
valid network.
All in all, you can easily do improved auth ACL's and controls, but the
only long term solution is transparent 2FA.
(One approach, you can tighten 465/587/993/995 with country and cloud
auth restrictions, and force everyone else to use with webmail or email
clients that support transparent 2FA)
On 2021-07-17 7:05 p.m., Andre van Eyssen via mailop wrote:
On Sat, 17 Jul 2021, Slavko via mailop wrote:
Please, i want ask others if are these (mostly) Brasil attempts know to
others too or am i "special" target? Some other questions, which comes
to my minds without answers, while perhaps nobody here will/can know
right answer, i will ask:
Nope, this is sadly a fact of life these days. At times there's way more
bad auth attempts than actual mail running through one of my MXes.
- i use blocklist.de IP list to block access on router for years, but i
feeling in recent time as it is not as effective as before, can it be
related, that i do not see similar attempts before?
The fact that you're using a blocklist is probably why you're only
seeing the distributed scattered attempts and not a roar from certain
subnets. I've had a few /24s blocked for years now and every time I give
them a test unblock they just start pouring brute force attempts in.
Picking one subnet from the last little while, there are attempts from:
Jul-18-21 00:24:40 [Worker_1] [TLS-out] 78.128.113.99 [SMTP Error] 535
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 00:44:15 [Worker_1] [TLS-out] 78.128.113.75 [SMTP Error] 535
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:09:57 [Worker_1] [TLS-out] 78.128.113.74 [SMTP Error] 535
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:41:02 [Worker_1] [TLS-out] 78.128.113.77 [SMTP Error] 535
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:46:41 [Worker_1] [TLS-out] 78.128.113.74 [SMTP Error] 535
5.7.8 Bad username or password (Authentication failed).
Jul-18-21 01:46:46 [Worker_1] 78.128.113.69 [SMTP Error] 521 (redacted)
does not accept mail - closing transmission - too many previous AUTH
errors from network 78.128.113.0
(After five attempts the /24 goes into the sin bin and all auth attempts
are rejected.)
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
