Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Gropers Hit Peak Stupid, Take the Spamtrap Bait

Posted by Unknown on from the bad-strategy dept.

badger.foo (447981) writes Peter Hansteen reports that a new distributed and slow-moving password guessing effort is underway, much like the earlier reports, but this time with a twist: The users they are trying to access do not exist. Instead, they're taken from the bsdly.net spamtrap address list, where all listed email addresses are guaranteed to be invalid in their listed domains. There is a tiny chance that this is an elaborate prank or joke, but it's more likely that via excessive automation, the password gropers have finally hit Peak Stupid.

29 of 100 comments (clear)

  1. This guy might be overvaluing his files by damn_registrars · · Score: 5, Interesting

    I expect his file was probably indexed by a search engine (he does talk about it fairly often in his blog) and the botnet found it there. The botnet isn't smart enough to know that the email addresses aren't real - it only knows they are valid - so it went ahead and went for it. Hell if you were looking to compromise email addresses for your own nefarious purposes and had a small army of compromised PCs to attempt the password hacking, you wouldn't care if you were attempting to access valid addresses or not.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:This guy might be overvaluing his files by BitZtream · · Score: 3, Insightful

      As if you understand how spam prevention works.

      What happened here is that the spammers have turned over the fingerprint of their spam directly to the spam stoppers. By emailing these particular addresses they are directly supplying information that can be used to block spam. They don't need to 'confirm' these messages are spam, THEY ARE SPAM, by definition. They don't need to wait for several people to report them as spam, they don't need to manually inspect them or weight them as 'potentially spam'.

      Spam one of these addresses then:
      Your host is instantly on a blacklist in most cases.
      URLs in the message are ranked as high probability of spam
      The message is fingerprinted and added to anti-spam software

      All of that without any user actually having to report it as spam, and thats just the simple stuff that happens.

      This is EXACTLY WHY this list is online, to catch stupid spammers who aren't careful enough to avoid these addresses.

      Its working EXACTLY AS DESIGNED. Hitting just one of these fake addresses can save it from hitting MILLIONS of real addresses.

      So before calling someone else stupid, look in the mirror, you're at peak ignorant.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:This guy might be overvaluing his files by camperdave · · Score: 3, Funny

      What's "peak stupid" here is the submitter not understanding how spamming works before posting on it.

      Isn't it even more stupid to assume that stupidity has a peak in the first place?

      --
      When our name is on the back of your car, we're behind you all the way!
    3. Re:This guy might be overvaluing his files by s13g3 · · Score: 4, Insightful

      I designed a honeypot built on similar principles at the last data center I worked for, whereby I had at least two different VM's comprising at least two different OS' on each and every subnet on our network.

      Using a custom implementation of PSAD and a bunch of PERL, the basic idea was that any time a specific IP (external *or* internal) scanned more than eight ports per IP across two or more subnets, it was unquestionably an illegitimate scan of our network, and the IP originating the scan in question was immediately submitted for null routing, because nobody could possibly have a legitimate reason for doing such a scan.

      Port scans from internal IP's, along with those matching other patterns (such as multiple scans within a single subnet or attempting certain exploits/attacks that can be deduced from snort's output in /var/log/messages, like the slammer worm, etc.) were output to a file that was reviewed daily, and could then be fed either in whole or in part(s) to a script that would process the desired actions. Before I knew it, I was blackholing hundreds or even thousands of addresses a day... ~70% of which were from China Telecom, followed immediately by Russia, Brazil, and Moldova, with less than 5% of attacks originating from U.S. or European addresses. The number of compromised customer servers on our network plummeted, along with a corresponding and by-no-means-insignificant dip in network traffic.

      What got me started on this project was that, among other things, hackers were scanning our network for Plesk's default admin login port (as Plesk at that time *had* a default admin login and password), and any time they got a response from port 8443 on an IP that previously did not have that port open, they would jump in and root new installs often before the customer ever logged in for the first time. Needless to say, I put an end to that nonsense.

      However, calling spammers dumb as others have above is probably a mistake: they can often be fairly smart, but what they really are - usually - is Peak Lazy, and are aiming for low hanging fruit. Eventually, the more sophisticated ones will create or adapt new techniques to defeat - or at least cope with - this particular methodology, and the cat-and-mouse-arms-race game of security will continue on as it always has, with one side or the other evolving new defenses or offenses, and the other evolving an appropriate response. The fact that a particular batch of spammers got caught and will find the emails from their current spam campaigns not reaching their intended audience on this go round will only slow them down for a time on the domains this list covers, but to say the spammers have hit "Peak Stupid" as a result of excessive automation is, in fact, an NP-Dumb analysis.

      --
      "Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage
  2. One script kiddie made a mistake by Nimey · · Score: 5, Funny

    so now they've all hit peak stupid.

    I'm not sure it's the script kiddies that have hit that or the submitter and editor.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
    1. Re:One script kiddie made a mistake by Anonymous Coward · · Score: 2, Funny

      so now they've all hit peak stupid.

      I'm not sure it's the script kiddies that have hit that or the submitter and editor.

      "Peak Stupid" will be the dupe story...

    2. Re:One script kiddie made a mistake by Noah+Haders · · Score: 4, Insightful

      unfortunately, it's unlikely to be "peak stupid." This would imply that stupidity has hit a maximum and things are only going to get less and less stupid as we move forward. Never undervalue humanity's capability to get more and more stupid as time goes on.

      although to be fair, you could call the nuclear arms race "peak stupid" because humanity was flirting with destroying all human existence. n00b spammers have no chance of being this stupid, and hopefully we will never be so stupid again.

  3. Don't be silly by Kierthos · · Score: 5, Funny

    There's no such thing as 'Peak Stupid'. Every time someone gets to the top of the current peak, the fog clears and another mountain of stupid looms in front of them.

    --
    Mr. Hu is not a ninja.
    1. Re:Don't be silly by alex67500 · · Score: 5, Funny

      A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
      Douglas Adams

    2. Re:Don't be silly by Thanshin · · Score: 4, Funny

      There's no such thing as 'Peak Stupid'. Every time someone gets to the top of the current peak, the fog clears and another mountain of stupid looms in front of them.

      A phenomenon well documented in the study "the unpeakability of stupid".

    3. Re:Don't be silly by wonkey_monkey · · Score: 3, Funny

      Now, that's not true. Some of them vote for the second most stupid politician.

      --
      systemd is Roko's Basilisk.
    4. Re:Don't be silly by TheCarp · · Score: 3, Insightful

      No that is what nearly all of them do, the only difference is really a disagreement over which is the penstupimate politician.

      --
      "I opened my eyes, and everything went dark again"
    5. Re:Don't be silly by quenda · · Score: 2

      No, we know "peak stupid" has been reached when the password gropers are getting more intelligent, reversing the previous trend of increasing stupidity.

      Either that, or the submitter is too stupid to know the difference between a record high, and a peak.

    6. Re:Don't be silly by Darinbob · · Score: 2

      True. Last time we hit Peak Stupid we were still doing pipelining stupid stuff. With modern technology we have super-scalar concurrent stupidity.

    7. Re:Don't be silly by ColdWetDog · · Score: 2

      "Only two things are infinite, the universe and human stupidity, and I'm not sure about the latter." - Albert Einstein.

      FTFY.

      Einstein was right, apparently.

      --
      Faster! Faster! Faster would be better!
  4. Peak Stupid by wasteoid · · Score: 5, Insightful

    So is trying so hard to coin a phrase like "peak stupid".

  5. Re:Editors by Hsien-Ko · · Score: 4, Funny

    These moron editer's should better there English.

  6. Well by Spad · · Score: 4, Funny

    While reading this story I accidentally peak stupid.

    1. Re:Well by TapeCutter · · Score: 4, Funny

      Obviously now is the time to sell stupid.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    2. Re:Well by totallyarb · · Score: 2

      No, no, it's the *supply* of stupid that has peaked; therefore as good economists we can anticipate the cost of stupid to rise in the future, as demand is unaffected. Now is the time to BUY stupid, and stockpile it for later when it will be rarer.

      --
      -- Note to Mods: There is a good reason there's no "-1 Disagree" option. --
    3. Re:Well by Opportunist · · Score: 2

      A world where stupidity is in short supply?

      Hmm... one may dream...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Isn't "Peak Stupid" writing about it. by Chrisq · · Score: 4, Insightful

    The script kiddies are wasting time and resources looking for non existent email addresses. Wouldn't it be better to let them get on with it rather than tell them exactly where a whole list of email addresses that they needn't check can be downloaded?

    1. Re:Isn't "Peak Stupid" writing about it. by synaptik · · Score: 2

      You should re-read the comment you are replying to. You have misunderstood Chrisq's point (which is, in summary: by talking about the spammer's stupidity in this case, we risk alerting said spammers to their stupidity, in which case they might correct it. It is better for us to just STFU about it.) And of course, by replying to you I am now part of that problem. Damn!

      --
      HSJ$$*&#^!#+++ATH0
      NO CARRIER
  8. Maybe this can be used against the bots by ZorinLynx · · Score: 5, Interesting

    Populate the net with files like this full of E-mail addresses that are not valid. Have dummy accounts on the appropriate servers that will accept the logins, allow the spambots to think they're successfully sending E-mails when in fact they're all going into the bit bucket.

    For added effect, make the servers respond v e r y s l o w l y under these accounts, taking tens of seconds to "send" the E-mail, a minute or so to log in, etc. Basically, slow the spam bots down and waste their time. Of course, the bots will probably eventually evolve to detect such shenanigans, but why make spammers' jobs easy? :)

  9. Re:Next stop? by Culture20 · · Score: 2

    It's already close to 99.99%. Set up ssh on port 22 and don't block it. Check your security log. Valid logins versus failed attempts to access root, admin, or other common usernames. Even with fail2ban or denyhosts and ignoring slow distributed attacks like in the article, the number of failed attempts can sometimes dwarf valid logins. I remember the "Web 2.0" just prior to captchas. It was tough finding content that wasn't written by a spambot.

  10. How fucking stupid are you by Mr+44 · · Score: 4, Informative

    This is great news for stopping this particular batch of spam.

    You just posted the same point twice in this thread, and its completely wrong both times, and shows a total lack of reading comprehension on your part.

    They are NOT emailing these addresses, they are attempting to log in to them.

    Read the fucking summary, at least. You are what's wrong with the internet.

    1. Re:How fucking stupid are you by Zeromous · · Score: 3, Insightful

      Mister44, it doesn't matter if it's for mail or for passwords, the result is the same. It is using hacker's automation to automate blacklists. Parent is not wrong, just misstated.

      --
      ---Up Up Down Down Left Right Left Right B A START
  11. It's been done. (teergrube) by oneiros27 · · Score: 4, Informative

    There's even a term for this, teergrube.

    An ISP that I worked for in the 1990s used to do this (dcr.net, owned by Drew Curtis, of fark.com fame).

    We had some code that would look for blatant e-mail harvesters, and would SLOWLY return random bogus e-mail addresses ... wait a couple seconds, spit out an address ... etc. The page at the top even had warnings that the page was completely bogus.

    At first, all of the e-mail addresses were all in our domain (but not our real mail server), but I went and added some code that would look up the connecting IP's network (I think I used whois.ra.net), and would also include '{abuse,postmaster}@(network)' and again for the network's upstream providers.

    I can't remember if the bogus mail server was also the box that we had set up so that if *anything* tried touching it, it'd blackhole the connecting IP at our external router, if it was a teergrube itself.

    --
    Build it, and they will come^Hplain.
  12. Re:Maybe I'm new at this.. by camperdave · · Score: 2

    I don't fully understand this term "Peak Stupid"...

    It's the name of the mountain under which the most secure mail server complex exists. After decades of trying to get past the defenses, the password gropers have finally hit Peak Stupid.

    --
    When our name is on the back of your car, we're behind you all the way!