They've got a list, and they're sticking to it. Do they even know or care it's my list of spamtraps?
Yes, the Chinese are at it again. Or rather, machines with IP addresses that belong in a small set of Chinese province networks have started a rather intense campaign of trying to access the pop3 mail retrieval protocol on a host in my care, after a longish interval of near-total inactivity.
This is the number of failed pop3 login attempts to my system per day so far in 2017:
January 1: 4
January 2: 145
January 3: 20
January 4: 51
January 5: 32
January 6: 36
January 7: 4036
January 8: 5956
January 9: 5769
Clearly, something happened on January 7th, and whatever started then has not stopped yet. On that day we see a large surge in failed pop3 logins, sustained over the next few days, and almost exclusively attempts at the username part of entries from my list of spamtrap addresses. Another notable feature of this sequence of attempts is that they come almost exclusively from a small set of Chinese networks.
The log of the failed attempts are in raw form here, while this spreadsheet summarises the log data in a format oriented to IP address and username pairs and attempts at each. The spreadsheet also contains netblock information and the country or territory the range is registered to. (Note: when importing the .csv, please specify the "User name" colum as text, otherwise conversion magic may confuse matters)
The numbers for January 7th onwards would have been even higher had it not been for a few attempts to access accounts that actually exist, with my reaction to block (for 24 hours only) the entire netblock the whois info for the offending IP address. Some of those blocks were quite substantial. I've also taken the liberty of removing those entries with real usernames from the logs.
Now despite urging from friends to publish quickly, I've silently collected data for a few days (really just a continuation of the collecting that started with last year's episode described in the Chinese Hunting Chinese Over POP3 In Fjord Country article, which in turn contains links to the data that by now covers almost a full year).
Now disregarding the handful of real user IDs I've already removed from the data set, the only new user IDs we have seen this year are:
3f6d...3mb2jbrszf_99ckfnhrrbud3
bsdly....3ef3a9ff
The rest were already in the spamtraps list, as user name parts. As you will have guessed, those two have been duly included there as well, with
@bsdly.net
appended in order to form a somewhat believable spamtrap email address.What, then can we expect to see over the next few days?
The progression so far has been proceeding from trap user names starting with 0, ascended through the numerics and have now (January 9) moved on to the early alphabetics. The list of spamtraps is just shy of 35,000 entries, and I assume the entries I see here come out of some larger corpus that our somewhat inept cyber-criminals use.
If you too are seeing larger than usual numbers of pop3 login failures and anything even vaguely resembling the patters of mischief described here, I would like to hear from you. If your logs follow a format somewhat resembling mine, it is most likely trivial to modify the scripts (in the same directories as the data) to extract data to the slightly more database- or spreadsheet-friendly CSV.
From my perch here it is difficult to determine whether the people responsible for the networks that feature prominently in the data are cooperating with the cybercriminals or whether they are simply victims of their own substandard security practices.
If you are in a position to shed light on that, I would like to hear from you, and I will do my best to protect your anonymity unless you specify otherwise.
In the meantime, expect the data, (both the full set starting in January 2016 and the 2017-only set) to be updated at frequent, quasi-random intervals.
If you need some background on what the spamtrap list is and some history of related incidents over the last few years, I can recommend reading these articles:
Hey, spammer! Here's a list for you! (July 2007) - a light introduction to greytrapping
Maintaining A Publicly Available Blacklist - Mechanisms And Principles (April 2013) - on greytrapping principles and practice
Effective Spam and Malware Countermeasures - Network Noise Reduction Using Free Tools (2008 - 2014) - a more thorough treatment of the whole spam and malware complex
Password Gropers Take the Spamtrap Bait (August 2014) - the first time I noticed pop3 logins for my spamtraps, and of course
Chinese Hunting Chinese Over POP3 In Fjord Country (August 2016) - about a previous bizarre episode involving Chinese networks and pop3 activity.
Update 2017-02-08: Another round of attempts at usernames that are likely Chinese user names (much like the June 19 2016 onwards cycle described in the Chinese Hunting Chinese Over POP3 In Fjord Country article) started on February 8th, 2017.
The first few hours brought the following user names, with the likely corresponding real life name in the second column:
Name | Username |
Luo Chun | luochun |
Luo Fa | luofa |
Luo Feng | luofeng |
Luo Hai | luohai |
These names have been added to the full data as well as the 2017-only portion. The log file (2016 and 2017 version or 2017-only data) contains the entries starting at Feb 8 15:26:45 (times are CET local time). It will be interesting to see how long this cycle lasts. Look for updates to the data at irregular but hopefully frequent intervals.
If you are seeing similar activity, I would like to hear from you, in comments or (these most recent attempts all originate in the 49.64.0.0/11 network (range 49.64.0.0 - 49.95.255.255, also known as CHINANET-JS or the CHINANET jiangsu province network). The previous cycle involved several distinct Chinese networks, and as we all know, stretched over several months of low intensity activity.
Peter,
ReplyDeleteFirst, thank you for the blog, the PF tutorials, and The Book of PF. Your work has been most helpful.
Second, I've noticed a different trend in the attacks on my email server.
1. My attackers originate from Ukraine, Romania, and Belize, and not from China, based on IP adress/whois information.
2. They attack the SMTP submission port, 587, and not POP3 or IMAP.
3. I typically go days and days without an attack, then I get an attack lasting a few hours from a single IP address.
After noticing this activity in my SMTP logs last year, I added a daily periodic job to find these authentication errors and add them to the email. These appear most obviously in the /var/log/maillog on my FreeBSD mail server. This has been useful in making me aware of the attacks and their relative infrequency.
I presently run my firewall on an OpenBSD machine that acts as my network router. I am working on configuration to enable PF on the mail server itself. I then plan to use a syslog.conf entry to route the authentication failures through a script that will block these attackers in PF after so many auth failures.
I already have a rule on my main firewall to block fast SSH attackers, but I don't worry about slow SSH attacks because I require key pair authentication. It always amuses me all of the log lines from these attacks that will never succeed.
It looks like SMTP and IMAP are the last entry points to my systems that permit password authentication. I plan to add something like a bouncer to keep the bad guys out. With any luck, I'll even blog about it so others can learn from this experience and build on it.
Cheers, and keep up the good work!