Several ISPs throughout the Net are reporting an attack described at http://www.l8r.com/nwa/nwa1.htm In this attack, an SMTP server is probed for common names, presumably so that spam can the be targeted at them. The attacking machine connects and issues hundreds of RCPT TO: commands, searching a long list of common user names (e.g. susan) for ones that don't cause errors. It then compiles a list of target addresses to spam. Unfortunately, the attack -- besides allowing the perpetrator to spam users -- also brings SMTP servers to their knees. This happens most often if the server maintains lists of user names in a database where looking up a name requires substantial disk activity or computational overhead. Some people whose domain names have been hard-coded into a commercial program designed to implement this attack have responded with outrage, e.g. http://www.junk.org/earthonline/ I'm surprised that I haven't seen this one on the Bugtraq list yet. --Brett Glass
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:19 PDT