On 2021-09-09 at 15:21:02 UTC-0400 (Thu, 9 Sep 2021 15:21:02 -0400)
J Doe <gene...@nativemethods.com>
is rumored to have said:
[...]
Hi,
In this case, is the botnet actually trying credentials ? It looks to
me that it is establishing a TLS connection and then dropping it (or
am I mistaken ?).
Note this log line from the original message:
SepĀ 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from
unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
That's an indicator of a failed "AUTH" command. I suppose that *would*
happen if the bot somehow sent an AUTH command without providing any
credentials but there's no indication logged by Postfix of exactly how
or why an AUTH command fails; Postfix doesn't really know. Whatever SASL
layer Postfix is using obviously must know, but it is likely not to log
it.
If it is just establishing TLS and is not actually trying credentials,
why would a botnet do that ?
Purely hypothetical, but the obvious answer IF that were happening would
be dumb bot coders.
Postscreen works so well because bots do useless and idiosyncratic
things. For almost 2 decades, one botnet has been doing things in SMTP
that are perfect fingerprints. If the geniuses behind Cutwail can shoot
themselves in the foot a billion times a day, surely one of the
cred-stuffer bots surely could treat /dev/zero as their credentials
list.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
