Darkmail Attacks - The Next Network Threat?

An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"

Spearphishing? Darkmail? Honeypot?

[telstar]

I feel like I went to sleep and woke up in a Mad Max sequel.

Attacks

[FidelCatsro]

Will always be a risk till humanity matures and has some global consciousness (or something of that sort) or if the vulnerability's are kept to a minimum to make the effort not worth pursuing.
Teach a man to Phish and he will pheed himself for life .
Close up the vulnerabilities and he he will starphe

Spammers abandoning spam?

[TFGeditor]

FTFA: "Earlier this month SC reported some spammers are turning their back on the spam business. Self-d spam king Scott Richter has now been spam-free for over six months."

Seems incongruous to declare "spammers are turning their back on the spam business" in an article about a malicious new "brute force" spamming scheme that has grown "400 percent in the last twelve months according to a report from email filtering company Email Systems."

And and what does the writer of TFA base this notion, anyway? That one spammer (Richter) has been spam-free for six months?

Where's the beef?

Re:Spammers abandoning spam?

[apoc.famine]

And unless I totally misunderstood the article, "darkmail attacks" are nothing more than spam. Granted, in very large quantites, but nothing that businesses with "tempting" domains haven't been experiencing for years.

It's just that "dictionary attacks" of hundreds of thousands of to: addresses are being used on smaller domains with more frequency.

Same problem, same methods. Spammers are just casting a bigger net, as their success rates are diminishing due to filtering.

Re:Spammers abandoning spam?

And unless I totally misunderstood the article, "darkmail attacks" are nothing more than spam. Granted, in very large quantites, but nothing that businesses with "tempting" domains haven't been experiencing for years.

It's just that "dictionary attacks" of hundreds of thousands of to: addresses are being used on smaller domains with more frequency.

Same problem, same methods. Spammers are just casting a bigger net, as their success rates are diminishing due to filtering.

Not quite. Dictionary attacks are trying to find valid mailboxes. Regular spam already has your mailbox address.

The bandwidth & processor load of dictionary attacks is far, far lower on the target unless you use an SMTP server that accepts email for non-existent addresses by default (qmail, some versions of exchange, etc).

Some SMTP servers can detect dictionary attacks and respond by slowing the connection (bad rcpt throttle in sendmail) or disconnecting.

Dictionary attacks have been around a very long time. Nothing new here. Some geeks are looking for new words to use in buzzword bingo.

Re:Spammers abandoning spam?

[nacturation]

Look at the bottom of the article. It's a link to emailsystems.com, the so-called anti-spam experts quoted in the so-called article. Basically, this is a PR piece designed to generate exposure for emailsystems. It doesn't have to make sense or be consistent -- as long as their name appears in print, and they can keep making it appear in print, somebody will eventually think, "Gee, these guys must be experts... I think I'll use their products/services."

Egress Filtering

[QuantumRiff]

Is it really so hard to setup egress filtering on your networks? Seriously, if people started allowing their email servers, and only their email servers to send email, then we could eliminate zombies. This is a 2 line entry into an access list on your border router. (heck, be a good net neighbor if your at it. If you're a corporation, do you really need port 135 leaving your network?) This would force Spammers to stop using zombified company machines, and home users on broadband to send hundreds of thousands of emails a minute. (not to mention checking your logs quickly tells you wich machines might be infected and need a visit from a tech)

Honestly, the thing that gets me is that most firewalls block incoming, but allow all outgoing traffic. Why? Do you want the next virus to hit and email out as an attachment your word documents? They might have trade secrets, or your budget numbers, etc. Do they want an inside machine setting up a "hole" in the firewall to a IRC server? once they establish the connection from the inside, most firewalls will then ignore the stream. Force spammers to use real mail servers so that they can be appropriately blocked.

I have never had someone give me an intelligent reason on why outgoing port 25 should not be blocked. I've heard the argument about people running email on their broadband connections. (I do, and route outgoing through my ISP's SMTP relay server)

Re:Egress Filtering

I have never had someone give me an intelligent reason on why outgoing port 80 should not be blocked either, after all if some user wants to access a website he can use the ISP's HTTP proxy server.

Re:Egress Filtering

[cjm182]

It's the same reason people only install spybot and AV software after they've been hit. Nobody thinks of locking the barn until after the cows are gone.

Re:Egress Filtering

[QuantumRiff]

Got to admit, this is an interesting argument I have not heard before, thank you.

Re:Egress Filtering

because it won't solve the problem except in the very short term.

We're already seeing viruses which look for the users mail client preferences and use the mail clients defined outbound SMTP server.

Sure, it'll provide a log file which can be used to LART infected users, but does it solve the problem? No, it doesn't.

There is only one real solution, as any technical solution will NOT stop spam, as the minute its done then the spammers will find another way around it. The only real, workable solution is:

tell the fscking idiots to stop buying from spam! if the economics of the industry fail, then we'll stop seeing spam. Spam only around because people BUY FROM IT.

Re:Egress Filtering

[crow]

Actually, they do just that where I work. Except for the sites that are intentionally blocked by Web Sense (and I understand blocking porn at work to help avoid sexual harassment lawsuits), it works just fine.

It's set up as a transparent proxy, and I have no issues with it. It's especially nice when reloading something on another computer, because it's in the corporate cache.

If done right, I can see lots of good reasons for an ISP to set up a transparent web proxy. (Most of those reasons are to reduce bandwidth.)

Re:Egress Filtering

As long as it's a transparent proxy server. Having to configure the client for the proxy sounds like a support nightmare.

Re:Egress Filtering

[Sexy+Bern]

In a corporate environment, you're typically using windows in a domain/AD context. Group Policies are simple and effective ways of setting the proxy configuration across the entire company, and - if set correctly - can't be changed by the users.

Re:Egress Filtering

[vbuitoni]

IMHO, I don't think this is the best way to eliminate zombies.
I think that the best thing to do would be to call a cleric to turn all the zombies in your company.
This would force the evil cleric spammers to stop rebuking your zombies...

Although I like your idea of checking the logs, this would tell which machines need a visit from a tech (hmmm... cleric)

Re:Egress Filtering

[thomasa]

I have never had someone give me an intelligent reason on why outgoing port 25 should not be blocked. I've heard the argument about people running email on their broadband connections. (I do, and route outgoing through my ISP's SMTP relay server)

I run an SMTP server and resent your saying it should be filtered by my ISP. I don't send spam and don't want someone intervening in my email. Get the distributors of bad email not the innocents.

No surprise

[metamatic]

I wrote a series of articles in which I mentioned this problem, caused by many approaches to spam filtering. http://www.xciv.org/~meta/Technology/2005-02-14-di smal.html

Basically, spam is an economic problem. Attempts at a technological solution usually involve filtering spam. Since a filter can never be 100% accurate, as filters are deployed the volume of spam increases. So basically, filters "work" as long as most people aren't using them; once they become widespread, the spam volume goes up and up until the network collapses under the bandwidth load (or we try a different approach).

As I conclude in my article, attempting to analyze logically from first principles, the only type of solution which will work is an economic one. Unfortunately, most people dismiss economic solutions out of hand. They're too attached to the fundamentally broken economic model of today's e-mail.

Ironically, the same people often express surprise that the RIAA can't see how broken their economic model is...

Re:No surprise

[Trepalium]

The idea of making people pay for their e-mail comes up frequently, but those who propose it rarely mention the problems with it.

First, it doesn't really solve the zombie spambot problems. Spammers don't seem to care if they break the law or not, provided they don't get caught. A large amount of spam already comes from zombie PCs, and your proposal wouldn't change that. The only thing that would change is some poor slob would end up with a $500 internet bill every now and then. Since it's unlikely the customer in these instances will end up having to pay, that means general internet prices will shoot through the roof so the ISP can cover it.

Second, who will be the clearinghouse for these payments? Do you think everyone will agree to any choices anyone picks out? We can't even agree world-wide on television standards.

If and when we manage to get a grip on the zombie situation, then maybe we can revisit the pay-for-email idea, but I don't see that happening any time soon. Sadly, the only technology that seems even remotely capable of solving this problem is a technology that is even more repugnant to most of us than pay per mail schemes -- "trusted" computing. Even that will have it's problems dealing with this.

Re:No surprise

Basically, spam is an economic problem ... the only type of solution which will work is an economic one.

I'm sure Bruno & Guido would beg to differ. Their baseball bat solution is very effective.

Re:No surprise

[metamatic]

For #1, I have a couple of possible solutions I intend to write about.

For #2, the same argument could be made as to the impossibility of credit card payments. Somehow, we found a way.

"Trusted" computing doesn't solve anything, because there's no way you'll ever get it to be ubiquitous and mandatory. I'd go back to setting up a UUCP network with my friends before I'd agree to Trusted Computing as a condition of TCP/IP e-mail access.

Re:No surprise

[Intron]

What stops spammers from shifting their strategies to match your economic model? Any economic change requires a payment from someone to someone. If the payment is to email recipients, spammers will become recipients. If it is to ISPs, spammers will become ISPs. Forcing pay-for-email schemes on the internet creates opportunities for abuse, it doesn't solve anything.

Re:No surprise

[metamatic]

If spammers become e-mail recipients, so what? They've stopped spamming. If they think they can make money joining mailing lists, they're welcome to go ahead and try.

As for spammers becoming ISPs--that has already happened. But no, my article explains why the payment has to go to the end user, not the ISP. (Though one option would be for the ISP to take a cut.)

Re:No surprise

[Intron]

Spammers are criminals who make money by hijacking PCs and selling advertising services. You want to eliminate the need to sell advertising services and pay them directly. They will now start hijacking PCs to send themselves mail, sticking the former PC owners with the bill. Very good for the spammers, very bad for everyone else.

And please don't say there will be a foolproof authentication scheme. If there were such a thing, we could just use it for free mail and skip the payments, right?

Re:No surprise

[pooh666]

There is nothing, nothing as lame as quoting yourself.

Not really new.

This so-called darkmail isn't really new, it's merely a derivative of the age-old mailbomb. Certainly it can easily be defended against by using anti-mailbomb techniques like rate limiting and address limits. Too bad for you if you use Exchange but, the likels of Postfix or GroupWise make this idiot proof. The "problem" can further be mitigated by using RBLs at the SMTP level, before message transfer. That means, connect, check RBL, tell spammer 5.5.4 Piss Off, disconnect.

Even if your spam filtering has achieved 100% reliability, highly unlikely, why let them consume your bandwidth with stuff you'll throw away? Some people don't like the idea of RBL blocks at the SMTP level but, if you are going to use RBLs at all, why not at the SMTP level?

Re:Not really new.

[superpulpsicle]

I always wonder if things would be better in the industry if hardware based mail servers like Mirapoint was deployed instead of the ever popular Exchange server.

Re:Not really new.

I always wonder if things would be better in the industry if hardware based mail servers like Mirapoint was deployed instead of the ever popular Exchange server.

As much as I dislike Exchange, it is not a source of spam. Windows zombies are an enormous problem, but that has nothing to do with Exchange.

Re:Spearphishing? Darkmail? Honeypot?

[aftk2]

No kidding. Darkmail. It sounds like something I'd take along with my vorpal sword, and +10 boots of speed.

I don't so don't "make an ASS of U and ME"

[DaedalusHKX]

Seriously, some of us don't go about it the way you do. I provide private email services to friends and family... that involves not having to constantly circumvent the crap others put in our way. Plus, this way, they don't have to worry. I won't sell them out to spammers, pharmers, phishers or ass monkeys at the M$ marketting department. In return they behave, or I can their asses if they send spam. (I also do a far better job of keeping them spam free and keeping their service running... FAST...)

The machine in question is a full smtpd/popd server... plus web. I don't approve of being blocked... how about if they BLOCK ONLY windows machines? since most inept morons run windows, and the rest run macs. This way my bsd and linux rigs are safe and sound, without someone else restricting MY access that I've paid for.

Re:I don't so don't "make an ASS of U and ME"

Why should other people suffer so that less than 1% of the population can have the mild convenience of running email servers on consumer broadband?

Re:I don't so don't "make an ASS of U and ME"

[ArghBlarg]

Why should consumer broadband be a crippled network connection? The internet was designed to support peer-communications, not be like TV.

Re:I don't so don't "make an ASS of U and ME"

[fuzzybunny]

Ditto on this.

What I additionally hate pretty tremendously is people who blanket-block mail from dynamic IPs. Many of us don't _want_ to send mail over our ISP's broken server, and we don't _want_ to pay their obscene IP rental "tax" for a fixed IP. I think this is ridiculous.

A combination of keyword filtering, greylisting, ORBLs and rate limiting is far more effective--we even found that rate limiting APNIC IPs to 2 messages per minute per IP does wonders for our spam loads (and this is at a three letter .net domain with generally common proper English first names as email addresses.)

I've made it clear to people who implement stupid blacklists that, if they don't want to hear from us, we can't talk to them. I've had quite a few people react quite positively when I've politely given them good arguments why dynIP blacklists are stupid.

As you say, crippling broadband...well.

Re:I don't so don't "make an ASS of U and ME"

[mutterc]

I've been using MailHop Outbound from dyndns.org for this... my mail server sends to them, they relay it onwards... something like $30 / year for 300 messages / day, and no problems (that I've noticed) in a couple of years. This way, for a lot less than buying "business class" service, I don't have to worry about dynamic-IP blocklists. If Roadrunner decides to block outbound port 25 MailHop can accept mail on other ports. It requires SMTP AUTH so I'm accountable for the messages.

Re:I don't so don't "make an ASS of U and ME"

Because consumer broadband lacks accountability. Duh. Why the fuck should you, with your Bad Ass Super Elite Gentoo Linux system and a $10/mo. cable modem, be treated the same as Ed Inc, with their own ASN, own data center, their own IT department, etc.? Once consumers get to the point where they give a shit about more than downloading their porn, music, and emails from their shallow friends and take some personal accountability for the shit that their computers do on the network, then sure, give them completely equal access to the network. But until then, tough shit.

Everybody seems to think that spam filters on the receiving end are a good solution. Which is just fucking stupid. If some cockhole of a retard, such as yourself, downloads the latest spyware, trojaned, virused p2p application and proceeds to attempt to send thousands of emails to my servers which are promptly dropped, well it's still costing me money you fucking worthless piece of shit.

Re:I don't so don't "make an ASS of U and ME"

[YrWrstNtmr]

Because consumer broadband lacks accountability.

This, coming from an Anon Coward

Priceless.

pundits behind the times as usual

DHA's are hardly anything new, nor is shotgun spam. Slow news day for SC magazine that they had to manufacture a new threat out of existing spammer behavior? In a way, these attacks are self-defeating against reasonably intelligent filtering. A DHA attack is a highly identifiable characteristic that lends itself to being blocked by source instead of the much more expensive header and content analysis. And if a spammer's stupid enough to send them all from the same network, there's traffic shaping solutions now that will make all that spam pile up on his side, not the receiver's.

Re:pundits behind the times as usual

[duffbeer703]

Well, "Darkmail" sounds pretty badass... I'm sure that if I warn the boss about the darkmail menace he'll give me money!

Not a fad

[vthome]

Thanks to this kind of mail, I'm getting on average about 300M (megabytes, you've read it right) of mail traffic a day. On a box with one active user.

Especially hilarious are mails from admin@mydomain telling me that my account has just been suspended..

Re:Not a fad

Thanks to this kind of mail, I'm getting on average about 300M (megabytes, you've read it right) of mail traffic a day. On a box with one active user.

Do you reject non-existent addresses after the RCPT TO: envelope recipient?

I can't imagine that if you dropped the connection at that point how it could add up to 300 megabytes/day.

Re:Not a fad

[commanderfoxtrot]

Are you blocking on SMTP connection or with procmail after the email has been received?

You should be able to save a lot of bandwidth that way.

Having said that, I use dozens of different email addresses on my domain (generally one per sign-up &c.) so this doesn't work so well for me...

Re:Not a fad

[vthome]

There's a caveat: I'm on a UUCP feed. Nothing can be done until after the message is received - by which time it's too late.

Re:Not a fad

There's a caveat: I'm on a UUCP feed. and I'm getting on average about 300M (megabytes, you've read it right) of mail traffic a day.

You're still using UUCP? I haven't seen UUCP in more than 15 years. 300 megs/day with UUCP? You must have enough connectivity to do away with UUCP.

Defeat "darkmail" through "greytrapping"

[Nonesuch]

The latest version of pf, spamd, and spamdb offered with OpenBSD 3.7 work well to address the problem of high-volume dictionary attacks, through a combination of bandwidth shaping, tarpitting, greylisting, and spamtrap addresses.

Basically, you configure spamdb to greylist unknown senders, and provide it with a huge list of "spamtrap" addresses, which are invalid email addresses not actually used in your domain.

GREYTRAPPING
Any source which tries to email to a spamtrap address is temporarily blacklisted, just like how SpamCop's SCBL reacts to a message to a spamtrap.

Recent enhancements to 'pf' provide for rate-limiting connections based on the source IP, in addition to the regular bandwidth shaping features. With minimal effort you can configure an OpenBSD mail gateway or router to ensure that you waste as much of the spammers time as possible, while expending the least amount of your own effort and bandwidth.

Re:Defeat "darkmail" through "greytrapping"

[dr00g911]

The hosting provider I use for the vast majority of my clients and my personal site just added a greylist/graytrap system into place, and it works amazingly well so far.

Three months and a total of 15 *total* spam messages have made it to my mail over that time period, which Spamassasin flagged and then Apple Mail's filtering dealt with accordingly. This is as opposed to about 750 per day on my two main accounts previously.

The beauty of greylists is that false positives are virtually unheardof (I support about 150 users and haven't had a single report in this time) because the entire nature of a greylist means that if the mail comes from a legitimate email server, it will try to send the message again in a couple of minutes at which point it becomes a trusted host.

Of course, open relays are still a problem in this scenario, but that's what the other layers of filtering (bayes etc) are for. Add the new ClamAV distro into the mix and email is bearable again with no need to constantly train my bayes filter.

and, apparently, darkmail is...

[soundsop]

From the article:

Darkmail is primarily used in distributed denial of service (DDoS) attacks and directory harvest attacks (DHA) in which a specific domain is hit with a flood of emails through an alphabetical list of names.

But over the last year darkmail is being used to brute-force spam through filters and is clogging up bandwidth.

Basically, it seems that darkmail is bulk mail sent to a domain with the advance knowledge that much of it will not reach a destination.

I like the concept, but not that implementation.

[khasim]

Suppose I setup a spamtrap of "george" because no one here uses that address.

But a legitimate contact makes a mistake typing the address and does send it to "george".

I would rather that it count the number of bad address attempts and blacklist the sender after X failures (5 for example).

But the failures would have to be counted as unique and across multiple connections. So resending to "george" 5 times won't lock them out. But making 5 connections with a single attempt to Al, then Bill, then Curtis, then Daniel, then Frank would blacklist them (within a set time period such as 5 or 10 minutes).

Actually, on that last attempt, I'd like it to receive the email and dump it into a special account so it can be forwarded to SpamCop and THEN blacklist it on my local server.

My Client Emails

[TexTex]

Why allow port 25 outgoing? My clients. They come in to my business and want to send their email. Guess what? Their corporate, locked-down laptop is set up to point to only their smtp server. VPNs are around 20-30% of the time, and so they end up needing to connect to their mail servers to send out.

Having port 25 open on an outgoing connection isn't that big of a deal if you monitor and control it. Virus scan both ways, rate limit max connections, etc.

Re:My Client Emails

[Dachannien]

It's the responsibility of your clients to have a VPN set up to access their home network. If the company takes the time to prevent their employees from changing their SMTP settings on their laptops, surely they can take the time to set up VPN access.

They'd also get the benefit of knowing that you (or other companies they do on-site business with) can't snoop their e-mail.

Re:My Client Emails

TCP/587 is the answer you seek, young grasshopper.

Re:My Client Emails

[fingal]

There is one school of thought which says that permitting open access to your internal network to machines that are not under your control is a potential recipe for disaster and might well compromise all your nice firewalling work that you have done (it's not called a trusted network for nothing)

The solution to this is to have a DMZ zone which untrusted clients are allowed to connect on which may have outgoing SMTP enabled, and keep your trusted network as exactly that. No more spam bots, no more email-less clients.

Re:My Client Emails

[Intron]

There are 2 cases:

1) They are sending a complete message, which just needs to be routed. This could be sent through your smtp server (port 25) just as easily as through their company server.

2) They are actually doing a mail submission, so that the mail will be "From" theircompany.com. This should be on port 587 using secure authentication.

So no reason not to block port 25.

Re:My Client Emails

[nacturation]

The solution to this is to have a DMZ zone...

Is that something like an automated ATM machine?

Fad? Impossible

[th0mas.sixbit.org]

It can't be a fad. Geeks don't get fads.

MOD PARENT UP!

Teach a man to Phish and he will pheed himself for life.
Close up the vulnerabilities and he he will starphe.

He is a fucking commusnit, but this is hilarious.

Been going on for years

[portwojc]

This has been going on for YEARS. I have one domain name with 5 real users on it and I am getting blasted constantly with unknowns. Not 10 million but more like 25k a day.

There are ways around it.

1. If you're using SpamAssassin monitor what email addresses are getting hit as unknowns. If one gets say more than 20 hits add it to the blacklist to. That way if a real address gets the message and has one of those cc'd it will get tagged. I figured if they send to a common unknown it's probably safe to blacklist it.

2. If your MX's can do it send them a list of valid accounts. That way you don't have to reject unknowns from your secondary and they don't have to try to send you the email.

3. Another is to create a perl script that tails the maillog. Then once a rejected message is seen ban that IP address to port 25. It won't ban it until after that message is complete but you won't get repeat connections. I've set up a rolling filter of sorts that will remove the bans after a while. It sounds bad but it works. I went from 25k of rejected a day to 14k or less. It also doesn't hurt normal email as they will either queue or hit your secondary. Sure greylisting works like this but I hate filling up my logs and wasting traffic.

Just some thoughts. Pick em apart but they work for me.

Re:Indeed

[symbolic]

Tell the fscking idiots to stop buying from spam! if the economics of the industry fail, then we'll stop seeing spam. Spam only around because people BUY FROM IT.


So true...and this axiom can be applied to other entities as well...RIAA/MPAA for example. It's all economics.

Soul?

[Ann+Elk]

From TFA, end of the fourth paragraph:

...has been developed with the soul purpose of preventing junk mail arriving in users inbox's.

This clearly identifies the problem with most spam filters: they ain't got no soul.

Re:Soul?

I cod not get the squid proxy to act as a spam filter. It just floundered. I trout that was its sole purpose, but salmon told me I was wrong.