Slashdot Mirror
Password Gropers Hit Peak Stupid, Take the Spamtrap Bait
badger.foo (447981) writes Peter Hansteen reports that a new distributed and slow-moving password guessing effort is underway, much like the earlier reports, but this time with a twist: The users they are trying to access do not exist. Instead, they're taken from the bsdly.net spamtrap address list, where all listed email addresses are guaranteed to be invalid in their listed domains. There is a tiny chance that this is an elaborate prank or joke, but it's more likely that via excessive automation, the password gropers have finally hit Peak Stupid.
I expect his file was probably indexed by a search engine (he does talk about it fairly often in his blog) and the botnet found it there. The botnet isn't smart enough to know that the email addresses aren't real - it only knows they are valid - so it went ahead and went for it. Hell if you were looking to compromise email addresses for your own nefarious purposes and had a small army of compromised PCs to attempt the password hacking, you wouldn't care if you were attempting to access valid addresses or not.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
so now they've all hit peak stupid.
I'm not sure it's the script kiddies that have hit that or the submitter and editor.
Hail Eris, full of mischief...
E pluribus sanguinem
There's no such thing as 'Peak Stupid'. Every time someone gets to the top of the current peak, the fog clears and another mountain of stupid looms in front of them.
Mr. Hu is not a ninja.
haven't finally peak stupid because they were already there.
So is trying so hard to coin a phrase like "peak stupid".
While reading this story I accidentally peak stupid.
The script kiddies are wasting time and resources looking for non existent email addresses. Wouldn't it be better to let them get on with it rather than tell them exactly where a whole list of email addresses that they needn't check can be downloaded?
Populate the net with files like this full of E-mail addresses that are not valid. Have dummy accounts on the appropriate servers that will accept the logins, allow the spambots to think they're successfully sending E-mails when in fact they're all going into the bit bucket.
For added effect, make the servers respond v e r y s l o w l y under these accounts, taking tens of seconds to "send" the E-mail, a minute or so to log in, etc. Basically, slow the spam bots down and waste their time. Of course, the bots will probably eventually evolve to detect such shenanigans, but why make spammers' jobs easy? :)
I don't fully understand this term "Peak Stupid", but it seems to me the meaning is that it can't get any more stupid. If so, then this activity would be far from the peak, because stupid people will always surprise you by being even more stupid. (Or most stupider, as some of them phrase it)
That would mean to hit "Peak stupid", then the results would be fatal .. Like searching for gas leaks by candle light
By simple brute-forcing spammer are generating a lot of traffic. Almost 70% of all e-mail traffic is spam, how long before 70% of all login attempts are done by bots? "Is someone DDOSing our website? Nope, just bots trying to get in."
going down the drain. They probably have a bigger chance of profit and fame were they do check Mersenne numbers with all that CPU power.
"... the password gropers have finally Peak Stupid."
I think you accidentally a verb.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
.
A lot of requests for odd URLs, all of which return 404. All of the requests that I checked originated at an IP address in Russia, and dozens of different IP addresses were used. These odd requests started about 5 or 6 months ago and have been ramping up lately. Makes me wonder just what they originators are looking for?
Stupid is not a finite quantity in the universe, and it's not a zero sum game.
You can have an infinite amount of stupid.
Now, one might argue that telling the spammers how they've fallen for this and what to avoid ... well, that might be stupid.
Lost at C:>. Found at C.
You just posted the same point twice in this thread, and its completely wrong both times, and shows a total lack of reading comprehension on your part.
They are NOT emailing these addresses, they are attempting to log in to them.
Read the fucking summary, at least. You are what's wrong with the internet.
Also there is no peak stupid. There is no limit to stupid, and it's impossible to make things stupid-proof. Stupid is just too ingenious.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
There's even a term for this, teergrube.
An ISP that I worked for in the 1990s used to do this (dcr.net, owned by Drew Curtis, of fark.com fame).
We had some code that would look for blatant e-mail harvesters, and would SLOWLY return random bogus e-mail addresses ... wait a couple seconds, spit out an address ... etc. The page at the top even had warnings that the page was completely bogus.
At first, all of the e-mail addresses were all in our domain (but not our real mail server), but I went and added some code that would look up the connecting IP's network (I think I used whois.ra.net), and would also include '{abuse,postmaster}@(network)' and again for the network's upstream providers.
I can't remember if the bogus mail server was also the box that we had set up so that if *anything* tried touching it, it'd blackhole the connecting IP at our external router, if it was a teergrube itself.
Build it, and they will come^Hplain.
When I was young we groped our girlfriends. Now get off my lawn.
I know, most here skim a title or summary and think they know it all, but really you should occasionally read TFA. The issue is not with people sending spam to a spam trap, they are harvesting email addresses and trying to authenticate to them. This is an attempt to compromise accounts, not an attempt to send SPAM mail.
Let me give you a bit of detail, I work with these issues daily.
Long ago in an Internet far far away Spammers learned that they could skim content to find email addresses. Using DNS resolution, they would know what servers should authenticate those addresses. They developed kits that sit and use various attacks to try and break into these accounts. _IF_ they were successful they would use that account to send out SPAM. So your server was listed in a Spam BL, they don't own a mail server.
Resource wise, this was not a stupid thing for them to do. A few servers trying to break into your mail accounts yielded lots of accounts for them to send spam from, and their crackbots were not impacted by SPAM BLs or reputation.
Security people got wise to this, and we now use various methods of blocking brute force password attacks. They are easy to detect, as long as you are nimble enough to look for them. So hackers started breaking into hosts to install their brute force kits, which added another layer for people to detect. This allowed spanning attacks over a span of hosts.
Still detectable, but we are not at a massive amount of log monitoring to find at least two layers of abstraction.
The latest craze is to harvest email addresses and run a static password against those accounts. Different hosts/botnets use different passwords, so it's a reverse methodology. Again these are detectable, but another layer of abstraction makes it a bit harder to look, for. The log queries I run to find the better ones are extremely complex and span a massive amount of logs. Using Sumologic or Splunk makes detecting these types of attack much faster. It would be possible to find without, but I would not want to manage that much Perl code or wait days for queries to run. Been there done that.
Now, with the background laid out we can discuss TFA. As soon as an IP with a known spamtrap address tries to connect we can immediately banish the IP. No cross referencing is needed, spanning no longer matters, I know that that IP address is a bad guy without any other information.
That is the level of stupidity being discussed, and yes it is very very stupid on their part. I believe this is not really "stupid" but an unintentional consequence of overly automating. A big "whoops!" if you will, which is not necessarily "stupidity".
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
That's the only thing that could possibly trump the current stupid position.
Have gnu, will travel.
I think by Peak Stupid you are trying to say this is the height of stupidity, I think you are underestimating the stupid that is out there The truly stupid is yet to come... just wait
1. Does "password guessing" mean they are just trying to login using common passwords like "password" or is it more sophisticated than that?
2. Assuming these brute force methods were used against real accounts, they would presumably become locked. It seems this would have been tried many times already in the past and present and lots of accounts would be getting locked all the time. Thus the email sites must have some way to detect and prevent this?
Just curious about these details... thx.
The verb is "hit". The rest of your statement is accurate (q.e.d.).
Heh heh. The only problem of course being that they're not actually monitoring the LHC for all possible black holes that could potentially be created, and we have no idea how long it would take for a terminal event to build to noticeable levels. There could at this very moment be a microscopic black hole orbitting within the Earth, absorbing new matter just barely faster than it evaporates, biding it's time as it grows toward critical mass.
And no, there's two more important things special about the LHD as compared to the reactions taking place in our upper atmosphere (I assume that's what you were implying):
1) The reaction density is far higher - one black hole/strange-matter particle/etc. might well decay faster than it could reach critical mass, but what happens when you're creating thousands or millions of them all at once within a few cubic millimeters? A bit of bad luck and a few of them may combine into a mass large enough to be self maintaining - especially considering...
2) It's on the ground. Anything spawned in the upper atmosphere is going to spend the first few seconds of it's existence falling through low-pressure air. Opportunities to "feed" off normal matter would be few and far between. The same self-catalyzing particle created in the LHD would be encountering millions or billions of times as much matter in the same amount of time, as it passed through the test chamber and rapidly into solid rock. And the matter would be solid, which could potentially accelerate things dramatically as well - perhaps a black hole could not absorb free particles fast enough to survive for long, but how do the dynamics change when absorbing a large molecule, causing mutual acceleration of subsequent atoms towards the black hole through electrostatic forces rather than the vanishingly weak gravitational attraction which would be all it could initially muster.
Of course we could try to take comfort in the old "all events not prohibited are mandatory" - the earth has been around for billions of years after all, and we know cosmic rays do occasionally reach the ground. But mandatory does not mean frequent, the Earth has only been around for a few billion years, and our instruments are not yet sensitive enough to notice a collapsed planet around another star to do a statistical survey. Would you care to speculate on how often a huge, super-tight cluster of cosmic rays manages to reach the Earth's surface all at once in order to mimic a single large-scale LHC test?
--- Most topics have many sides worth arguing, allow me to take one opposite you.