Well F You Chinese Hackers

July 2, 2018

Over the past few days a Chinese server, 111.160.216.150, has been determined to connect to my mail server.

However every attempt just results in it splattering up against my firewall. This in itself is completely benign and normally I would just ignore it, but damn skippy, I want to F with them :-)

So what did I do?

Well a couple of things.

At first I automated sending an email to all their WHOIS contacts whenever a connection attempt was made. That would have been neat if not for the fact that none of their WHOIS contacts are real…. so I couldn’t mess with them that way.

Instead I wrote a simple SMTP server listening on a bogus port 2025 and created an iptables rule to redirect their traffic to the bogus port.

iptables -t nat -I PREROUTING –src 111.160.216.150 –dst xxx.xxx.xxx.xxx -p tcp –dport 587 -j REDIRECT –to-ports 2025

That ensures their incoming connections get rerouted to the desired location. I also had to allow their IP in via the INPUT chain as well, but that was pretty simple.

Then I cobbled together an SMTP server in python that had a few peculiar changes.

The first change is based upon the SMTP RFC specification, or should I say, the lack of SMTP RFC specification.

From RFC 2821, specifically 3.1 Session Initiation. In it the statement is as follows:

SMTP server implementations MAY include identification of their software and version information in the connection greeting reply after the 220 code, a practice that permits more efficient isolation and repair of any problems.

Interestingly enough the important part is that this greeting reply is supposed to include some warm happy text identifying the server and some other book-keeping information. But, it doesn’t really have to does it? Plus the RFC states that the server is in charge of the string lengths…. likely thinking that this applies to the INCOMING string lengths, but what about the OUTGOING string lengths?

This is the genesis of my idea.

Why not tack on a little extra text to the 220 response? Say perhaps 3 million copies of the script to Monty Python’s SPAM sketch? That kind of sounds about right.

So the attacking mail server is free to ignore the SPAM I send it, just like I ignore its spam, but every command it tries to send me just gets a 220 Scene: A cafe. One table is occupied by a group of Vikings with horned helmets on….SPAMMITY SPAM SPAM SPAAAAAMMMMM! swatted back at it repeated 3 million times.

The second SMTP server change was to alter EVERY response to their client with a lot of SPAM SPAM SPAM SPAM SPAM SPAM SPAM SPAM…. so should they try to send HELO, I respond with 3 million copies of the SPAM script. If they request to send MAIL, I send another 3 million scripts. And finally if they send QUIT, I send them on their way with again another 3 million SPAM scripts. It is only fitting.

While watching the connection attempts I have noticed that the rate of connection has been decreasing over time. It clearly has not stopped the attacks, but it might be having an affect on their server.

If it is, then F Them!

If not, then /shrug, it’s no worse than splattering against the firewall and slightly more amusing.

 
Well F You Chinese Hackers - July 2, 2018 - darren popham