Follow Up: Closed Relay - SMTP Auth Attack

On Monday, I posted a blog post related to an increase in SMTP Auth Attacks. Frank posted an interesting comment with a question which I thought was worth discussing:

Good posting. I haven't seen very strong support by MTAs to identify SMTP AUTH brute force attacks. Any comments on what vendors are doing, between Exchange (using AD on the backend), LDAP-based auth, and native system AUTH?

Of course the best way to mitigate exposure to a SMTP Auth Attack is to disable the feature. If it really is necessary to use it, it could be limited to specific IP addresses or subnets that are trusted such as a VPN, rather than allowing anyone in the world to authenticate. However, the comment obviously relates to a situation where SMTP Auth must be supported and the connection IP address of clients could come from anywhere.

In the case of an Exchange server mentioned above, it's not usually recommended to have the server in the DMZ from a security viewpoint. Instead, a SMTP proxy (which could be software/appliance/hosted) sitting in front of the MTA could be used to detect these attacks rather than relying on Exchange or the back end authentication mechanism to detect them.

Does Exchange actually have any features to combat an attack? To be perfectly honest I wasn't sure so I did a little digging. I was already aware of the tarpit feature in Exchange 2003 dicussed in this Knowledge Base article. As the tarpit feature is bypassed for authenticated sessions it's not clear if it would help prevent a SMTP Auth attack by tarpitting it due to failed authentication attempts. However, I did find a MS Exchange tutorial claiming that it did. I wanted to confirm this so I contacted our friend, Terry Zink, the product manager for Exchange Hosted Services to pass my query on to a relevant contact. He was kind enough to oblige and confirmed that Exchange 2007 does tarpit failed authentication attempts and was pretty sure that 2003 did likewise.

While I was writing this follow up to the original blog post, Frank also commented on the ability of other MTA's to prevent these attacks:

Incidentally, a vendor who has customized qmail (among other things) mentioned to me that they have rate-limiters per IP and username for just that aspect.

That's a typical way to mitigate this type of attack. Rather than allowing an attacker to hammer a mail server all day the authentication failures per ip or user can be used to detect it. It's quite similar to a SSH Brute Force attack and there's a unix solution, Fail2Ban, that can detect failed smtp authentications and create rules to temporarily ban the originating IP addresses.

If any of you are worried that you might be vulnerable to such an attack and are not even sure if this feature is enabled, you can check by telnet-ing directly to port 25, issuing a ehlo/helo and looking at the capabilities reported by the MTA to see if AUTH is listed. You could also check your outbound mail servers IP address against multiple blacklists using this tool multiple blacklists. It's also a good idea to monitor SMTP AUTH traffic at a perimeter firewall or SMTP Proxy to see any failures.

Irish Stock Exchange Website Compromised

I regularly read the US-CERT (United States - Computer Emergency Readiness Team) website to follow current activity. This morning, there was a warning of an attack that has compromised a large number of legitimate websites. One of the compromised sites generated quite a bit of media attention since it's a security related website. However, I thought it might be interesting to see if any other well known websites had also been compromised.



After a little searching I saw that the Irish Stock Exchange website, www.ise.ie had been a victim of the attack. The Announcement List asp page had been compromised in an attempt to add a link to a malicious Trojan hosted on a different web server. Fortunately, this issue has already been resolved but evidence of the attack against the site is revealed in a google cache search of the announcement page.

Google Apps are Taking Off?

Some of you may be familiar with MailChannels' "PingedIn" service. Every night, we survey the mail servers of approximately half a million companies worldwide, using a proprietary algorithm to determine the kind of email server software they are using to receive email.

Recently I was reviewing historical data stretching back to mid-summer, when I noticed a strong trend:


The lime green line shows that there has been a 50% increase in the number of companies using Google to host their email. This is a really impressive rate of growth in what has been a fairly stagnant industry for the past few years.

Other interesting observations:

• The decline of software: more and more companies are outsourcing their edge email solution to someone else. The only exception we found to this rule was MXLogic, who appear to have lost about 5% of their customers since mid-summer (according to our data -- please don't sue us).
• The flattening of IronPort: There has been virtually no growth at all in IronPort's installed base since they were acquired by Cisco. That said, at least they haven't lost ground.
• Continuing high rate of churn: Not shown on the graph, but tracked by PingedIn is the rate at which companies move from one solution to another. We are continuing to see an approximately 20% annual churn rate in the email boundary market.

Now, even though Google's growth may appear spectacular, it should be taken with a grain of salt. There are more than 17,000 sites in our database running Barracuda email appliances. Google still has just 1800. But at their current rate of growth, Google should surpass Barracuda some time in 2010. By the same token, even though there are still 42,000 Sendmail sites in our database, at its current rate of decline, Sendmail will be all but extinct in 2015.

Okay, 2015 is a really long way away. Sendmail is going to be with us until the end of time.