Password Gropers Hit Peak Stupid, Take the Spamtrap Bait

badger.foo (447981) writes Peter Hansteen reports that a new distributed and slow-moving password guessing effort is underway, much like the earlier reports, but this time with a twist: The users they are trying to access do not exist. Instead, they're taken from the bsdly.net spamtrap address list, where all listed email addresses are guaranteed to be invalid in their listed domains. There is a tiny chance that this is an elaborate prank or joke, but it's more likely that via excessive automation, the password gropers have finally hit Peak Stupid.

Peak Stupid

[wasteoid]

So is trying so hard to coin a phrase like "peak stupid".

Isn't "Peak Stupid" writing about it.

[Chrisq]

The script kiddies are wasting time and resources looking for non existent email addresses. Wouldn't it be better to let them get on with it rather than tell them exactly where a whole list of email addresses that they needn't check can be downloaded?

Re:This guy might be overvaluing his files

[BitZtream]

As if you understand how spam prevention works.

What happened here is that the spammers have turned over the fingerprint of their spam directly to the spam stoppers. By emailing these particular addresses they are directly supplying information that can be used to block spam. They don't need to 'confirm' these messages are spam, THEY ARE SPAM, by definition. They don't need to wait for several people to report them as spam, they don't need to manually inspect them or weight them as 'potentially spam'.

Spam one of these addresses then:
Your host is instantly on a blacklist in most cases.
URLs in the message are ranked as high probability of spam
The message is fingerprinted and added to anti-spam software

All of that without any user actually having to report it as spam, and thats just the simple stuff that happens.

This is EXACTLY WHY this list is online, to catch stupid spammers who aren't careful enough to avoid these addresses.

Its working EXACTLY AS DESIGNED. Hitting just one of these fake addresses can save it from hitting MILLIONS of real addresses.

So before calling someone else stupid, look in the mirror, you're at peak ignorant.

Re:One script kiddie made a mistake

[Noah Haders]

unfortunately, it's unlikely to be "peak stupid." This would imply that stupidity has hit a maximum and things are only going to get less and less stupid as we move forward. Never undervalue humanity's capability to get more and more stupid as time goes on.

although to be fair, you could call the nuclear arms race "peak stupid" because humanity was flirting with destroying all human existence. n00b spammers have no chance of being this stupid, and hopefully we will never be so stupid again.

Re:Don't be silly

[TheCarp]

No that is what nearly all of them do, the only difference is really a disagreement over which is the penstupimate politician.

Re:This guy might be overvaluing his files

[s13g3]

I designed a honeypot built on similar principles at the last data center I worked for, whereby I had at least two different VM's comprising at least two different OS' on each and every subnet on our network.

Using a custom implementation of PSAD and a bunch of PERL, the basic idea was that any time a specific IP (external *or* internal) scanned more than eight ports per IP across two or more subnets, it was unquestionably an illegitimate scan of our network, and the IP originating the scan in question was immediately submitted for null routing, because nobody could possibly have a legitimate reason for doing such a scan.

Port scans from internal IP's, along with those matching other patterns (such as multiple scans within a single subnet or attempting certain exploits/attacks that can be deduced from snort's output in /var/log/messages, like the slammer worm, etc.) were output to a file that was reviewed daily, and could then be fed either in whole or in part(s) to a script that would process the desired actions. Before I knew it, I was blackholing hundreds or even thousands of addresses a day... ~70% of which were from China Telecom, followed immediately by Russia, Brazil, and Moldova, with less than 5% of attacks originating from U.S. or European addresses. The number of compromised customer servers on our network plummeted, along with a corresponding and by-no-means-insignificant dip in network traffic.

What got me started on this project was that, among other things, hackers were scanning our network for Plesk's default admin login port (as Plesk at that time *had* a default admin login and password), and any time they got a response from port 8443 on an IP that previously did not have that port open, they would jump in and root new installs often before the customer ever logged in for the first time. Needless to say, I put an end to that nonsense.

However, calling spammers dumb as others have above is probably a mistake: they can often be fairly smart, but what they really are - usually - is Peak Lazy, and are aiming for low hanging fruit. Eventually, the more sophisticated ones will create or adapt new techniques to defeat - or at least cope with - this particular methodology, and the cat-and-mouse-arms-race game of security will continue on as it always has, with one side or the other evolving new defenses or offenses, and the other evolving an appropriate response. The fact that a particular batch of spammers got caught and will find the emails from their current spam campaigns not reaching their intended audience on this go round will only slow them down for a time on the domains this list covers, but to say the spammers have hit "Peak Stupid" as a result of excessive automation is, in fact, an NP-Dumb analysis.

Re:How fucking stupid are you

[Zeromous]

Mister44, it doesn't matter if it's for mail or for passwords, the result is the same. It is using hacker's automation to automate blacklists. Parent is not wrong, just misstated.